Systems and methods for queue control based on client-specific protocols

ABSTRACT

The present disclosure generally relates to controlling access to resources by selectively processing requests stored in a task queue to prioritize certain requests over others, thereby preventing automated scripts from accessing the resources. More specifically, the present disclosure relates to a normalization and prioritization system for controlling access to resources by queuing resource requests based on a client-defined normalization process that uses one or more data sources.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.16/812,051, filed on Mar. 6, 2020, which claims the priority benefit ofU.S. Provisional Application No. 62/814,644, filed on Mar. 6, 2019, thedisclosure of each of which is incorporated herein by reference in itsentirety for all purposes.

TECHNICAL FIELD

The present disclosure generally relates to controlling access toresources by selectively processing requests stored in a task queue toprioritize certain requests over others, thereby preventing automatedscripts from accessing the resources. More specifically, the presentdisclosure relates to a normalization and prioritization system forcontrolling access to resources by queuing resource requests based on aclient-defined normalization process that uses one or more data sources.

BACKGROUND

Automated scripts can be configured to access interfaces and mimic useractions, such as selecting links and transmitting user requests.Further, automated scripts can impose a burden on the computationalefficiency of systems, network traffic, and processing load of servers,such as servers that control access to resources. Detecting requestsoriginating from automated scripts, however, is a significant technicalchallenge. As automated scripts become more complex, detecting whichrequests originated from an automated script is increasingly challengingand burdensome on processing resources. Additionally, automated scriptsmay be configured differently for different resources, and thus,techniques for detecting automated scripts targeting one resource maynot successfully control access to another resource.

SUMMARY

The term embodiment and like terms are intended to refer broadly to allof the subject matter of this disclosure and the claims below.Statements containing these terms should be understood not to limit thesubject matter described herein or to limit the meaning or scope of theclaims below. Embodiments of the present disclosure covered herein aredefined by the claims below, not this summary. This summary is ahigh-level overview of various aspects of the disclosure and introducessome of the concepts that are further described in the DetailedDescription section below. This summary is not intended to identify keyor essential features of the claimed subject matter, nor is it intendedto be used in isolation to determine the scope of the claimed subjectmatter. The subject matter should be understood by reference toappropriate portions of the entire specification of this disclosure, anyor all drawings and each claim.

Certain aspects and features of the present disclosure relate tocontrolling access to resources by selectively processing requestsstored in a task queue to prioritize certain requests over others,thereby preventing automated scripts from accessing the resources. Eachresource may be provided by or associated with a client. The client maydefine one or more protocols stored in a database. A protocol may beassociated with user records stored in or represented by a data source.For example, a protocol may be a protocol indicating a client'spreference for providing access to a resource to users who areassociated with user records stored in a certain client-defined orclient-identified data source. Executing a protocol may includemodifying existing user parameters of a set of users requesting accessto the resource to bias towards a subset of users who are associatedwith user records stored in a client-identified data source. Forexample, a user parameter may be generated to represent a determinedcharacteristic, classification, or segmentation of a user. A userparameter may be determined using data stored in one or more databases(internal or external to a primary load management system). The modifieduser parameters may then be used to order the set of users into queuepositions of a digital queue. At a regular or irregular time interval, agroup of queue positions of the digital queue may be granted access toan interface that enables a user to request access to the resource.

A resource (e.g., an event) may be associated with a plurality of accessrights (e.g., event tickets). Each access right may grant access to aspatial area (e.g., a venue) associated with the resource for a definedperiod of time. A user may operate a user device to transmit a requestto a primary load management system, which determines whether to assignaccess right(s) to users. The request originating from a user device maybe for one or more access rights to a resource to be assigned to theuser or user device. Assigning an access right to a user enables thatuser to access the spatial area associated with the resource during thedefined period of time. The primary load management system may host aninterface (e.g., an event data page) that enables users to requestassignment of access rights. Before being provided with access to theinterface, however, the user may be placed at a queue position of adigital queue (e.g., after logging into a platform operated by theprimary load management system).

Certain aspects and features of the present disclosure relate toautomatically determining which queue position to assign to each userwho accesses the platform (e.g., intending to access the interface totransmit a request for assignment of one or more access rights). Thequeue positions of users may determine an ordering of users who areprovided with access to the interface that enables a user to transmitrequests for access rights. The queue positions may be determined by anormalization system that modifies user parameters by executing one ormore protocols specific to the client associated with the resource. Theone or more protocols may be configured to support an objective of theclient. The protocols may be configured independently for each client,and thus, may be different across different clients. Accordingly, as atechnical advantage, the assignment of queue positions of a digitalqueue to users who intend to request access rights to a resource may bedetermined using a different technique for each resource, thereby makingit more difficult for automated scripts to obtain access rights overhuman users.

A system of one or more computers can be configured to performparticular operations or actions by virtue of having software, firmware,hardware, or a combination of them installed on the system that inoperation causes or cause the system to perform the actions. One or morecomputer programs can be configured to perform particular operations oractions by virtue of including instructions that, when executed by dataprocessing apparatus, cause the apparatus to perform the actions. Onegeneral aspect includes a computer-implemented method including:generating, at a primary load management system, an interface configuredto enable a user device to transmit a request for assignment of one ormore access rights to a resource, and where the interface is accessibleto user devices for which access to the interface has been granted bythe primary load management system. The computer-implemented method alsoincludes receiving, at the primary load management system, acommunication from each of a plurality of user devices, and thecommunication from each user device including a request to access theinterface. The computer-implemented method also includes retrieving aplurality of user parameters, each user parameter of the plurality ofuser parameters being associated with a user device from which acommunication was received. The computer-implemented method alsoincludes retrieving a protocol specific to the resource, the protocolbeing defined by a client associated with the resource, and the protocolbeing configured to determine an ordinal arrangement of user devicesawaiting access to the interface. The computer-implemented method alsoincludes executing the protocol, the execution of the protocol causingthe plurality of user parameters to be normalized, where normalizing theplurality of user parameters includes modifying at least one userparameter of the plurality of user parameters to bias access to theinterface towards a target group of user devices from amongst theplurality of user devices. The computer-implemented method also includesassigning a queue position of a digital queue to each of the pluralityof user devices, the assignment of the queue positions being based onthe plurality of normalized user parameters, and the digital queuerepresenting the ordinal arrangement of user devices awaiting access tothe interface. The computer-implemented method also includes selecting,at a regular or irregular interval, one or more user devices of theplurality of user devices, the selection being based on the ordinalarrangement of the plurality of user devices, and each user device ofthe one or more user devices being granted access to the interface.Other embodiments of this aspect include corresponding computer systems,apparatus, and computer programs recorded on one or more computerstorage devices, each configured to perform the actions of the methods.

Implementations may include one or more of the following features. Thecomputer-implemented method where biasing access to the interfacetowards the target group of user devices further includes: identifyingwhich user devices of the plurality of user devices are also included inthe target group of user devices. The computer-implemented method mayalso include for each user device included in both the plurality of userdevices and the target group of user devices, modifying the userparameter corresponding to the user device so as to change a queueposition associated with the user device, so that the user device isselected to access to the interface before a user device that is notincluded in the target group. The computer-implemented method furtherincluding: granting access to the interface for each user deviceincluded in the selected one or more user devices. Thecomputer-implemented method may also include receiving, at theinterface, a request for assignment of an access right to the resource,the request for assignment of the access right being received from auser device included in the selected one or more user devices. Thecomputer-implemented method may also include in response to receivingthe request for assignment, assigning the access right to the resourceto the user device. The computer-implemented method where a user deviceof the plurality of user devices is not granted access to the interfaceuntil the user device is included in the selected one or more userdevices. The computer-implemented method where each user parameterincludes a value that represents a characteristic of the correspondinguser device or a user associated with the corresponding user device. Thecomputer-implemented method further including: generating a token foreach user device of the plurality of user devices awaiting access to theinterface, where the token is a unique value that validates a durationof time the user device awaited access to the interface in the digitalqueue. The computer-implemented method where each user device includedin the target group of user devices is associated with an attributedetermined by the client. Implementations of the described techniquesmay include hardware, a method or process, or computer software on acomputer-accessible medium.

One general aspect includes a system, including: one or more processors;and a non-transitory computer-readable storage medium containinginstructions which, when executed on the one or more processors, causethe one or more processors to perform operations including: generating,at a primary load management system, an interface configured to enable auser device to transmit a request for assignment of one or more accessrights to a resource, and where the interface is accessible to userdevices for which access to the interface has been granted by theprimary load management system. The system also includes receiving, atthe primary load management system, a communication from each of aplurality of user devices, and the communication from each user deviceincluding a request to access the interface. The system also includesretrieving a plurality of user parameters, each user parameter of theplurality of user parameters being associated with a user device fromwhich a communication was received. The system also includes retrievinga protocol specific to the resource, the protocol being defined by aclient associated with the resource, and the protocol being configuredto determine an ordinal arrangement of user devices awaiting access tothe interface. The system also includes executing the protocol, theexecution of the protocol causing the plurality of user parameters to benormalized, where normalizing the plurality of user parameters includesmodifying at least one user parameter of the plurality of userparameters to bias access to the interface towards a target group ofuser devices from amongst the plurality of user devices. The system alsoincludes assigning a queue position of a digital queue to each of theplurality of user devices, the assignment of the queue positions beingbased on the plurality of normalized user parameters, and the digitalqueue representing the ordinal arrangement of user devices awaitingaccess to the interface. The system also includes selecting, at aregular or irregular interval, one or more user devices of the pluralityof user devices, the selection being based on the ordinal arrangement ofthe plurality of user devices, and each user device of the one or moreuser devices being granted access to the interface. Other embodiments ofthis aspect include corresponding computer systems, apparatus, andcomputer programs recorded on one or more computer storage devices, eachconfigured to perform the actions of the methods.

Implementations may include one or more of the following features. Thesystem where the operation of biasing access to the interface towardsthe target group of user devices further includes: identifying whichuser devices of the plurality of user devices are also included in thetarget group of user devices. The system may also include for each userdevice included in both the plurality of user devices and the targetgroup of user devices, modifying the user parameter corresponding to theuser device so as to change a queue position associated with the userdevice, so that the user device is selected to access to the interfacebefore a user device that is not included in the target group. Thesystem where the operations further include: granting access to theinterface for each user device included in the selected one or more userdevices. The system may also include receiving, at the interface, arequest for assignment of an access right to the resource, the requestfor assignment of the access right being received from a user deviceincluded in the selected one or more user devices. The system may alsoinclude in response to receiving the request for assignment, assigningthe access right to the resource to the user device. The system where auser device of the plurality of user devices is not granted access tothe interface until the user device is included in the selected one ormore user devices. The system where each user parameter includes a valuethat represents a characteristic of the corresponding user device or auser associated with the corresponding user device. The system where theoperations further include: generating a token for each user device ofthe plurality of user devices awaiting access to the interface, wherethe token is a unique value that validates a duration of time the userdevice awaited access to the interface in the digital queue. The systemwhere each user device included in the target group of user devices isassociated with an attribute determined by the client. Implementationsof the described techniques may include hardware, a method or process,or computer software on a computer-accessible medium.

One general aspect includes a computer-program product tangibly embodiedin a non-transitory machine-readable storage medium, includinginstructions configured to cause a processing apparatus to performoperations including: generating, at a primary load management system,an interface configured to enable a user device to transmit a requestfor assignment of one or more access rights to a resource, and where theinterface is accessible to user devices for which access to theinterface has been granted by the primary load management system. Thecomputer-program product also includes receiving, at the primary loadmanagement system, a communication from each of a plurality of userdevices, and the communication from each user device including a requestto access the interface. The computer-program product also includesretrieving a plurality of user parameters, each user parameter of theplurality of user parameters being associated with a user device fromwhich a communication was received. The computer-program product alsoincludes retrieving a protocol specific to the resource, the protocolbeing defined by a client associated with the resource, and the protocolbeing configured to determine an ordinal arrangement of user devicesawaiting access to the interface. The computer-program product alsoincludes executing the protocol, the execution of the protocol causingthe plurality of user parameters to be normalized, where normalizing theplurality of user parameters includes modifying at least one userparameter of the plurality of user parameters to bias access to theinterface towards a target group of user devices from amongst theplurality of user devices. The computer-program product also includesassigning a queue position of a digital queue to each of the pluralityof user devices, the assignment of the queue positions being based onthe plurality of normalized user parameters, and the digital queuerepresenting the ordinal arrangement of user devices awaiting access tothe interface. The computer-program product also includes selecting, ata regular or irregular interval, one or more user devices of theplurality of user devices, the selection being based on the ordinalarrangement of the plurality of user devices, and each user device ofthe one or more user devices being granted access to the interface.Other embodiments of this aspect include corresponding computer systems,apparatus, and computer programs recorded on one or more computerstorage devices, each configured to perform the actions of the methods.

Implementations may include one or more of the following features. Thenon-transitory machine-readable storage medium where the operation ofbiasing access to the interface towards the target group of user devicesfurther includes: identifying which user devices of the plurality ofuser devices are also included in the target group of user devices. Thenon-transitory machine-readable storage medium may also include for eachuser device included in both the plurality of user devices and thetarget group of user devices, modifying the user parameter correspondingto the user device so as to change a queue position associated with theuser device, so that the user device is selected to access to theinterface before a user device that is not included in the target group.The non-transitory machine-readable storage medium where the operationsfurther include: granting access to the interface for each user deviceincluded in the selected one or more user devices. The non-transitorymachine-readable storage medium may also include receiving, at theinterface, a request for assignment of an access right to the resource,the request for assignment of the access right being received from auser device included in the selected one or more user devices. Thenon-transitory machine-readable storage medium may also include inresponse to receiving the request for assignment, assigning the accessright to the resource to the user device. The non-transitorymachine-readable storage medium where a user device of the plurality ofuser devices is not granted access to the interface until the userdevice is included in the selected one or more user devices. Thenon-transitory machine-readable storage medium where each user parameterincludes a value that represents a characteristic of the correspondinguser device or a user associated with the corresponding user device. Thenon-transitory machine-readable storage medium where the operationsfurther include: generating a token for each user device of theplurality of user devices awaiting access to the interface, where thetoken is a unique value that validates a duration of time the userdevice awaited access to the interface in the digital queue.Implementations of the described techniques may include hardware, amethod or process, or computer software on a computer-accessible medium.

BRIEF DESCRIPTION OF THE DRAWINGS

The specification makes reference to the following appended figures, inwhich use of like reference numerals in different figures is intended toillustrate like or analogous components.

FIG. 1 depicts a block diagram of an embodiment of a resourceaccess-facilitating interaction system;

FIG. 2 shows an illustration of hardware and network connections of aresource access-facilitating interaction system according to anembodiment of the invention;

FIG. 3 shows an illustration of a communication exchange betweencomponents involved in a resource access-facilitating interaction systemaccording to an embodiment of the invention;

FIG. 4 illustrates example components of a device;

FIG. 5 illustrates example components of resource access coordinatormodule;

FIG. 6 illustrates a flowchart of an embodiment of a process forassigning access rights for resources;

FIGS. 7A and 7B show embodiments of site systems in relations to mobiledevices;

FIG. 8 shows a block diagram of user device according to an embodiment;

FIG. 9 illustrates sample components of an embodiment of site system180, including connections to a NAS and access management system;

FIGS. 10A and 10B illustrate examples of communication exchangesinvolving primary and secondary load management systems.

FIG. 11 is a block diagram illustrating a network environment forenabling access rights to be queried in a hierarchical manner based onresource-affinity parameters, according to some aspects of the presentdisclosure.

FIG. 12 is a swimlane diagram illustrating an example data flow of anetwork environment, according to some aspects of the presentdisclosure.

FIG. 13 is a block diagram illustrating a network environment forgenerating user parameters, according to some aspects of the presentdisclosure.

FIG. 14 is a block diagram illustrating a network environment forassigning queue positions of a digital queue to user devices based on aclient-specific protocol, according to some aspects of the presentdisclosure.

DETAILED DESCRIPTION

The illustrative examples described herein are given to introduce thereader to the general subject matter discussed here and are not intendedto limit the scope of the disclosed concepts. The following sectionsdescribe various additional features and examples with reference to thedrawings in which like numerals indicate like elements, and directionaldescriptions are used to describe the illustrative embodiments but, likethe illustrative embodiments, should not be used to limit the presentdisclosure. The elements included in the illustrations herein may not bedrawn to scale.

FIG. 1 depicts a block diagram of an embodiment of a resource managementsystem 100, according to an embodiment of the present disclosure. Mobiledevice 110 (which can be operated by a user 105) and an event-providerdevice 120 (which can be operated, controlled, or used by an eventprovider 115) can communicate with an access management system 185directly or via another system (e.g., via an intermediate system 150).Mobile device 110 may transmit data to access point 145, which isconnected to network 155, over communication channel 140 using antennae135. While FIG. 1 illustrates mobile device 110 communicating withaccess point 145 using a wireless connection (e.g., communicationchannel 140), in some embodiments, mobile device 110 may alsocommunicate with access point 145 using a wired connection (e.g., anEthernet connection). Mobile device 110 can also communicate with one ormore client devices, such as a client agent device 170 operated by aclient agent 175, a client register 160 or a client point device 165using a wired or wireless connection. In addition, using the accessmanagement system 185, an event provider 115 can identify an event, aparameter of attending the event, a date or dates of the event, alocation or locations of the event, etc. Each inter-system communicationcan occur over one or more networks 155 and can facilitate transmissionof a variety of types of data. It will be understood that, although onlyone of various systems, devices, entities and network are shown, theresource management system 100 can be extended to include multiple ofany given system(s), device(s), entity(ies), and/or networks.

Access management system 185 can be configured to manage a dynamic setof access rights to one or more resources. More specifically, accessmanagement system 185 can track which resources are to be made availableto users, specifications of the resources and times at which they willbe available. Access management system 185 can also allocate accessrights for resources and facilitate transmissions of notifications ofthe available rights to a set of user devices. For example, accessmanagement system 185 can alert users of the availability via a website,app page or email. As another example, access management system cantransmit data about access rights and resources to one or moreintermediate systems 150, which can facilitate distribution ofaccess-right availability and processing of requests for such rights.

Notifications of available access rights can be accompanied by optionsto request that one or more access rights be assigned to a user.Therefore, user 105 can provide input to mobile device 110 via aninterface to request such assignment and provide other pertinentinformation. Intermediate system 150 and/or access management system 185can process the request to ensure that the requested access right(s)remain available and that all required information has been receivedand, in some instances, verified. Thereafter, access management system185 can assign one or more access rights to the user, e.g., matching theaccess rights requested by the user.

Assigning an access right can include, for example, associating anidentifier of the right with an identifier of a user, changing a statusof the right from available to assigned, facilitating a cease innotifications that the access right is available, generating anaccess-enabling code to use such that the corresponding access will bepermitted and/or generating a notification to be received at mobiledevice 110 confirming the assignment and/or including data required forcorresponding access to be permitted.

In some instances, a resource is at least partly controlled, by aclient. The resource may be accessed at a particular location orstructure, and a variety of client devices may be present at thelocation so as to facilitate usage of an access right. Exemplary clientdevices can include client agent device 170, which can be one operatedby a client agent 175 (e.g., a human client agent), a client register160 (e.g., which can operate independently of an agent and/or can beconnected to or include a device that, while in a locked mode, canimpede resource access, such as a turnstile) and client point device 165(e.g., which can operate independently of an agent and/or can bepositioned at or around the resource-associated location. For example,in some instances client agent device 170 can be operated by an agent ata location for a resource that is an event (“event resource”) takingplace at the location. In this example, client agent device 170 is usedby an agent that is manning an entrance to the location (e.g., which caninclude, for example, a location of a structure or a geographic region)or a part thereof; client register 160 can be or can be connected to aturnstile, gate or lockable door that is positioned along a perimeter orentrance to a resource-associated location or part thereof; and clientpoint device 165 can be an electronic device positioned at or within aresource-associated location.

In some instances, mobile device 110 performs particular functions upondetecting a client device and/or the contrary. For example, mobiledevice 110 may locally retrieve or request (e.g., from an externalsource) an access-enabling code. The access-enabling code can betransmitted to the client device or a remote server (e.g., a serverhosting access management system 185) for evaluation and/or can belocally evaluated. The evaluation can include, for example, confirmingthat the access-enabling code has a particular characteristic or format(e.g., generally or one characteristic corresponding to a particularresource or type of access), matches one in an access-enabling code datastore and/or has not been previously redeemed. A result of theevaluation can be locally displayed at an evaluating device, can controla device component (e.g., a physical access control module), and/or canbe transmitted to another device, such as mobile device 110.

In some instances, user 105 can use multiple mobile devices 110 toperform various operations (e.g., using one device to request an accessright and another to interact with client devices). Some instances ofmobile device 110, access management system 185, intermediate system150, client agent device 170, client register 160 and/or client pointdevice 165 can include a portable electronic device (e.g., a smartphone, tablet, laptop computer or smart wearable device) or anon-portable electronic device (e.g., one or more desktop computers,servers and/or processors).

In exemplary embodiments, access rights can be represented in datamaintained at a client device or at access management system 185. Forexample, a database or data store include a list of identifiers for eachuser or user device having an assigned access right for a resource orassociating an identifier for each user or user device with anidentifier of a particular access right. In some instances, indicia canbe transmitted to a user device that indicates that an access right isavailed. In various instances, it may be permitted or prohibited for theindicia to be transferred. The indicia may be provided as part of anelectronic or physical object (e.g., a right to access an event) orindependently. The indicia may include an access-enabling code.

In some instances, access management system 185 communicates with one ormore intermediate systems 150, each of which may be controlled by adifferent entity as compared to an entity controlling access managementsystem 185. For example, access management system 185 may assign accessrights to intermediate systems 150 (e.g., upon acceptance of terms).Intermediate system 150 can then collect data pertaining to the assignedaccess rights and/or a corresponding event, can format and/or edit thedata, generate a notification of availability of the access rights thatincludes the formatted and/or edited data and facilitate presentation ofthe notification at a mobile device 110. When intermediate system 150receives a communication from the mobile device 110 indicative of anaccess-right request, intermediate system 150 can facilitate assignment(or reassignment) of an access right to the user (e.g., by transmittingrelevant information to access management system 185 identifying theuser and/or user device and/or by transmitting relevant information tomobile device 110 pertaining to the access right).

A resource can include one managed or provided by a client, such as anentity or an entity operating a spatial region. A mobile device 110 cantransmit data corresponding to the access right (e.g., anaccess-enabling code) to a client device upon, for example, detectingthe client device, detecting that a location of the mobile device 110 iswithin a prescribed geographical region, or detecting particular input.The receiving client device may include, for example, a client agentdevice 170 operated at an entrance of a defined geographical location ora client register 160 that includes or is attached to a lockingturnstile. The client device can then analyze the code to confirm itsvalidity and applicability for a particular resource and/or access type,and admittance to the event can be accordingly permitted. For example, aturnstile may change from a locked to an unlocked mode upon confirmationof the code's validity and applicability.

Each of the depicted devices and/or systems may include a software agentor application (“app”) that, when executed, performs one or more actionsas described herein. In some instances, a software agent or app on onedevice is, at least in part, complementary to a software agent or app onanother device (e.g., such that a software agent or app on mobile device110 is, at least in part, complementary to at least part of one onaccess management system 185 and/or a client device; and/or such that asoftware agent or app on intermediate system 150 is, at least in part,complementary to at least part of one on access management system 185).

In some instances, a network in the one or more networks 155 can includean open network, such as the Internet, personal area network, local areanetwork (LAN), campus area network (CAN), metropolitan area network(MAN), wide area network (WAN), wireless local area network (WLAN), aprivate network, such as an intranet, extranet, or other backbone. Insome instances, a network in the one or more networks 155 includes ashort-range communication channel, such as Bluetooth or Bluetooth LowEnergy channel. Communicating using a short-range communication such asBLE channel can provide advantages such as consuming less power, beingable to communicate across moderate distances, being able to detectlevels of proximity, achieving high-level security based on encryptionand short ranges, and not requiring pairing for inter-devicecommunications.

In one embodiment, communications between two or more systems and/ordevices can be achieved by a secure communications protocol, such assecure sockets layer (SSL), transport layer security (TLS). In addition,data and/or transactional details may be encrypted based on anyconvenient, known, or to be developed manner, such as, but not limitedto, DES, Triple DES, RSA, Blowfish, Advanced Encryption Standard (AES),CAST-128, CAST-256, Decorrelated Fast Cipher (DFC), Tiny EncryptionAlgorithm (TEA), eXtended TEA (XTEA), Corrected Block TEA (XXTEA),and/or RCS, etc.

It will be appreciated that, while a variety of devices and systems areshown in FIG. 1, in some instances, resource management system 100 caninclude fewer devices and/or systems. Further, some systems and/ordevices can be combined. For example, a client agent device 170 may alsoserve as an access management system 185 or intermediate system 150 soas to as to facilitate assignment of access rights.

As described in further detail herein, an interaction between mobiledevice 110 and a client device (e.g., client agent device 170, clientregister 160 or client point device 165) can facilitate, for example,verification that user 105 has a valid and applicable access right,obtaining an assignment of an access right, and/or obtaining anassignment of an upgraded access right.

In addition, mobile device 110-2, which is operated by user 125-2, mayinclude a user device that is located at a spatial region of theresource (e.g., venue) during a time period for which the resource isaccessible (e.g., event time). Mobile device 110-2 may directly interactwith a client device (e.g., client agent device 170, client register 160or client point device 165), which is also located at the spatial regionduring the time period in which the resource is accessible using accessrights. As such, the access management system 185 may be updated oraccessed by mobile device 110-2 via the client agent device 170. Forexample, mobile device 110-2 may communicate with the client agentdevice 170 over a short-range communication channel 190, such asBluetooth or Bluetooth Low Energy channel, Near Field Communication(NFC), Wi-Fi, RFID, Zigbee, ANT, etc. Communicating using a short-rangecommunication such as BLE channel can provide advantages such asconsuming less power, being able to communicate across moderatedistances, being able to detect levels of proximity, achievinghigh-level security based on encryption and short ranges, and notrequiring pairing for inter-device communications. After the short-rangecommunication link 190 is established, mobile device 110-2 maycommunicate with the access management system 185 and access the item oritems of resources. That is, while mobile device B is configured tocommunicate over network 155, mobile device 110-2 may communicate withthe access management system 185 via the client agent device 170,instead of the network 155.

It will be appreciated that various parts of system 100 can begeographically separated. It will further be appreciated that system 100can include a different number of various components rather than anumber depicted in FIG. 1. For example, two or more of access assignmentsystems 185; one or more site systems 180; and intermediate system 150may be located in different geographic locations (e.g., differentcities, states or countries).

FIG. 2 shows an illustration of hardware and network connections of aresource access-facilitating interaction system 200 according to anembodiment of the invention. Each of various user devices 210-1, 210-2,210-3, 210-4 and 210-5 can connect, via one or more inter-networkconnection components (e.g., a router 212) and one or more networks 270to a primary assignment management system 214 or a secondary assignmentmanagement system 216-1, 216-2 or 216-3.

Primary assignment management system 214 can be configured to coordinateand/or control initial assignment of access rights. Secondary assignmentmanagement system 216 can be configured to coordinate and/or controlreassignment and/or transfer of access rights (e.g., from one user oruser device to another or from an intermediate agent to a user or userdevice). Secondary assignment management system 216 may also managetransfer offers (e.g., to allow a first user to identify a price atwhich a transfer request would be granted and to detect if a validrequest is received). It will be appreciated that, although primaryassignment management system 214 is shown to be separate from eachsecondary assignment management system 216, in some instances, anassignment management system may relate to both a primary and secondarychannel, and a single data store or a localized cluster of data storesmay include data from both channels.

Each of primary access assignment system 214 and secondary accessassignment system 216 can include a web server 218 that processes andresponds to HTTP requests. Web server 218 can retrieve and deliverweb-page data to a user device 210 that, for example, identify aresource, identify a characteristic of each of one or more access rightsfor the resource, include an invitation to request assignment of anaccess right, facilitate establishment or updating of a profile, and/oridentify characteristics of one or more assigned access rights. Webserver 218 can be configured to support server-side scripting and/orreceive data from user devices 210, such as data from forms or fileuploads.

In some instances, a web server 218 can be configured to communicatedata about a resource and an indication that access rights for theresource are available. Web server 218 can receive a requestcommunication from a user device 210 that corresponds to a request forinformation about access rights. The request can include one or moreconstraints, which can correspond to (for example) values (e.g., to bematched or to define a range) of particular fields.

A management server 222 can interact with web server 218 to provideindications as to which access rights' are available for assignment,characteristics of access rights and/or what data is needed to assign anaccess right. When requisite information is received (e.g., about a userand/or user device, identifying a final request for one or more accessrights, including payment information, and so on), management server 222can coordinate an assignment of the one or more access rights. Thecoordination can include updating an access-right data store to change astatus of the one or more access rights (e.g., to assigned); toassociate each of the one or more access rights with a user and/or userdevice; to generate or identify one or more access-enabling codes forthe one or more access rights; and/or to facilitate transmissionreflecting the assignment (e.g., and including the one or moreaccess-enabling codes) to a user device.

Management server 222 can query, update and manage an access-right datastore to identify access rights' availability and/or characteristicand/or to reflect a new assignment. The data store can include oneassociated with the particular assignment system. In some instances, thedata store includes incomplete data about access rights for a resource.For example, a data store 224 at and/or used by a secondary accessassignment system 216 may include data about an incomplete subset ofaccess rights that have been allocated for a particular resource. Toillustrate, a client agent may have indicated that an independentintermediary system can (exclusively or non-exclusively) coordinateassignment of a portion of access rights for a resource but not theremainder. A data store 224 may then, for example, selectively includeinformation (e.g., characteristics, statuses and/or assignmentassociations) for access rights in the portion.

Data store 224 or 226 associated with a particular primary or secondaryaccess assignment system can include assignment data for a set of accessrights that are configured to be set by the particular primary orsecondary access assignment system or by another system. For example, aprotocol can indicate that a given access right is to have an availablestatus until a first of a plurality of access assignment systems assignsthe access right. Accordingly, access assignment systems would then needto communicate to alert each other of assignments.

In one instance, management server 222 (or another server in an accessassignment system) sends a communication to a central data managementserver farm 228 reflecting one or more recent assignments. Thecommunication may include an identification of one or more accessrights, an indication that the access right(s) have been assigned, anidentification of a user and/or user device associated with theassignment and/or one or more access-enabling codes generated oridentified to be associated with the assignment. The communication canbe sent, for example, upon assigning the access right(s), as a precursorto assigning the access right(s) (e.g., to confirm availability and/orrequest assignment authorization), at defined times or time intervalsand/or in response to an assignment-update request received from datamanagement server farm 228.

Data management server farm 228 can then update a central data store toreflect the data from the communication. The central data store can bepart of, for example, a network-attached storage 232 and/or astorage-area network 234.

In some instances, a data store 224 or 226 can include a cache, thatincludes data stored based on previous communications with datamanagement server farm 228. For example, data management server farm 228may periodically transmit statuses of a set of access rights (e.g.,those initially configured to be assignable by an access assignmentsystem) or an updated status (e.g., indicating an assignment) of one ormore access rights. As another example, data management server farm 228may transmit statuses upon receiving a request from an access assignmentsystem for statuses and/or authorization to assign one or more accessrights.

An access assignment system may receive statuses less frequently or attimes unaligned with requests received from user devices requestinginformation about access rights and/or assignments. Rather than initiatea central data store query responsive to each user-device request, amanagement server 222 can rely on cached data (e.g., locally cacheddata) to identify availability of one or more access rights, as reflectin webpage data and/or communications responsive to requestcommunications for access-right information. After requisite informationhas been obtained, management server 222 can then communicate with datamanagement server farm 228 to ensure that one or more particular accessrights have remained available for assignment.

In some instances, one or more of primary access assignment system 214and/or a secondary access assignment system 214 need not include a localor system-inclusive data store for tracking access-right statuses,assignments and/or characteristics. Instead, the access assignmentsystem may communicate with a remote and/or central data store (e.g.,network-attached storage 232 or storage-area network 234).

Access management system 120 can include a primary access assignmentsystem 214 and/or a secondary access assignment system 214; datamanagement server farm 228; and/or a central data store (e.g.,network-attached storage 232 or storage-area network 234). Each of oneor more intermediate systems 130 can include a primary access assignmentsystem 214 and/or a secondary access assignment system 214.

Data management server farm 228 may periodically and/or routinely assessa connection with an access assignment system 214. For example, a testcommunication can be sent that is indicative of a request to respond(e.g., with particular data or generally). If a response communicationis not received, if a response communication is not received within adefined time period and/or if a response communication includesparticular data (e.g., reflecting poor data integrity, network speed,processing speed, etc.), data management server farm 228 may reconfigureaccess rights and/or permissions and/or may transmit anothercommunication indicating that assignment rights of the access assignmentsystem are limited (e.g., to prevent the system from assigning accessrights).

It will be appreciated that various parts of system 200 can begeographically separated. For example, two or more of primary accessassignment system 214; one or more of secondary access assignmentsystems 214; and data management server farm 228 may be located indifferent geographic locations (e.g., different cities, states orcountries).

It will further be appreciated that system 200 can include a differentnumber of various components rather than a number depicted in FIG. 2.For example, system 200 can include multiple data management serverfarms 228, central data stores and/or primary access assignment systems214 (e.g., which can be geographically separated, such as being locatedin different cities, states or countries). In some instances, processingmay be split (e.g., according to a load-balancing technique) acrossmultiple data management server farms 228 and/or across multiple accessassignment systems 214. Meanwhile, the farms and/or systems can beconfigured to accept an increased or full load should another farmand/or system be unavailable (e.g., due to maintenance). Data stored ina central data store may also be replicated in geographically separateddata stores.

FIG. 3 shows an illustration of a communication exchange betweencomponents involved in a resource access-facilitating interaction system300 according to an embodiment of the invention. A user device 310 cansend one or more HTTP requests to a web-server system 318, andweb-server system 318 can respond with one or more HTTP responses thatinclude webpage data. The webpage data can include, for example,information about one or more resources, characteristics of a set ofaccess rights for each of the one or more resources, availability of oneor more access rights, an invitation to request an assignment of one ormore access rights and/or indications as to what information is requiredfor an access-right assignment. HTTP requests can includeassignment-request data (e.g., a resource identification, requisiteinformation, and/or an identification of an access-right constraint oraccess right).

Web-server system 318 can include one or more web processors (e.g.,included in one or more server farms, which may be geographicallyseparated) to, for example, map a path component of a URL to web data(e.g., stored in a local file system or generated by a program);retrieve the web data; and/or generate a response communicationincluding the web data. Web processor can further parse communication toidentify input-corresponding data in HTTP requests, such as field valuesrequired for an access-right assignment.

Web-server system 318 can also include a load balancer to distributeprocessing tasks across multiple web processors. For example, HTTPrequests can be distributed to different web processors. Load-balancingtechniques can be configured so as, for example, to distributeprocessing across servers or server farms, decrease a number of hopsbetween a web server and user device, decrease a geographical locationbetween a user device and web server, etc.

Web-server system 318 can further include a RAID component, such as aRAID controller or card. A RAID component can be configured, forexample, to stripe data across multiple drives, distribute parity acrossdrives and/or mirror data across multiple drives. The RAID component canbe configured to improve reliability and increase request-processingspeeds.

Web-server system 318 can include one or more distributed,non-distributed, virtual, non-virtual, local and/or remote data stores.The data stores can include web data, scripts and/or content object(e.g., to be presented as part or web data).

Some HTTP requests include requests for identifications of access-rightcharacteristics and/or availability. To provide web data reflecting suchinformation, web-server system 318 can request the information fromanother server, such as an SQL system 341 (e.g., which may include oneor more servers or one or more server farms).

SQL system 341 can include one or more SQL processors (e.g., included inone or more server farms, which may be geographically separated). SQLprocessors can be configured to query, update and otherwise use one ormore relational data stores. SQL processors can be configured to execute(and, in some instances, generate) code (e.g., SQL code) to query arelational data store.

SQL system 341 can include a database engine, that includes a relationalengine, OLE database and storage engine. A relational engine canprocess, parse, compile, and/or optimize a query and/or makequery-associated calls. The relational engine can identify an OLE DB rowset that identifies the row with columns matching search criteria and/ora ranking value. A storage engine can manage data access and use therowset (e.g., to access tables and indices) to retrieve query-responsivedata from one or more relational databases.

SQL system 341 can include one or more distributed, non-distributed,virtual, non-virtual, local and/or remote relational data stores. Therelational databases can include linked data structures identifying, forexample, resource information, access-right identifications andcharacteristics, access-right statuses and/or assignments, and/or userand/or user profile data. Thus, for example, use of the relationalstructures may facilitate identifying, for a particular user, acharacteristic of an assigned access right and information about aresource associated with the access right.

One or more data structures in a relational data structure may reflectwhether particular access rights have been assigned or remain available.This data may be based on data received from a catalog system 342 thatmonitors and tracks statuses of resource access rights. Catalog system342 can include one or more catalog processors (e.g., included in one ormore server farms, which may be geographically separated). Catalogprocessors can be configured to generate status-update requestcommunications to be sent to one or more access assignment systemsand/or intermediate systems and/or to receive status-updatecommunications from one or more access assignment systems and/orintermediate systems. A status-update communication can, for example,identify an access right and/or resource and indicate an assignment ofthe access right. For example, a status-update communication canindicate that a particular access right has been assigned and is thus nolonger available. In some instances, a status-update communicationidentifies assignment details, such as a user, profile and/or userdevice associated with an access-right assignment; a time that theassignment was made; and/or a price associated with the assignment.

In some instances, a status update is less explicit. For example, acommunication may identify an access right and/or resource and request afinal authorization of an assignment of the access right. Catalog system342 can then verify that the access right is available for assignment(e.g., and that a request-associated system or entity is authorized tocoordinate the assignment) and can transmit an affirmative response.Such a communication exchange can indicate (in some instances) that theaccess right is assigned and unavailable for other assignment.

In some instances, catalog system 342 can also be integrated with anon-intermediate access assignment system, such that it can directlydetect assignments. For example, an integrated access assignment systemcan coordinate a message exchange with a user device, can query acatalog data store to identify available access rights and canfacilitate or trigger a status-change of an access right to reflect anassignment (e.g., upon having received all required information.

Whether a result of a direct assignment detection or a status updatefrom an intermediate system, a database engine of catalog system 342 canmanage one or more data stores so as to indicate a current status ofeach of a set of access rights for a resource. The one or more datastores may further identify any assignment constraints. For example,particular access rights may be earmarked so as to only allow one ormore particular intermediate systems to trigger a change to the accessrights' status and/or to assign the access rights.

The database engine can include a digital asset management (DAM) engineto receive, transform (e.g., annotate, reformat, introduce a schema,etc.) status-update communications, and identify other data (e.g., anidentifier of an assigning system and/or a time at which a communicationwas received) to associate with a status update (e.g., an assignment).Therefore, the DAM engine can be configured to prepare storage-updatetasks so as to cause a maintained data store to reflect a recent datachange.

Further, the DAM engine can facilitate handling of data-store queries.For example, a status-request communication or authorization-requestcommunication can be processed to identify variables and/or indices touse to query a data store. A query can then be generated and/or directedto a data store based on the processing. The DAM engine can relay (e.g.,and, potentially, perform intermediate processing to) a query result toa request-associate system.

The database engine can also include a conflict engine, which can beconfigured to access and implement protocols indicating how conflictsare to be handled. For example, catalog system 342 may receive multiplerequests within a time period requesting an assignment authorization (ora hold) for a particular access right. A protocol may indicate that afirst request is to receive priority, that a request associated with amore highly prioritized requesting system (e.g., intermediate system) isto be prioritized, that a request associated with a relatively high (orlow) quantity of access rights identified in the request for potentialassignment are to be prioritized, etc.

The database engine can further include a storage engine configured tomanage data access and/or data updates (e.g., modifying existing data oradding new data). The data managed by and/or accessible to the storageengine can be included in one or more data stores. The data stores caninclude, for example, distributed, non-distributed, virtual,non-virtual, local and/or remote data stores. The data stores caninclude, for example, a relational, non-relational, object, non-object,document and/or non-document data store. Part or all of a data store caninclude a shadow data store, that shadows data from another data store.Part or all of a data store can include an authoritative data store thatis (e.g., directly and/or immediately) updated with access-rightassignment changes (e.g., such that a primary or secondary accessassignment system updates the data store as part of an access-rightassignment process, rather than sending a post-hoc status-updatecommunication reflecting the assignment). In some instances, a datastore an authoritative data store identifies a status for each of a set(e.g., or all) of access rights for a given resource. Should there beany inconsistency between an authoritative data store and another datastore (e.g., at an intermediate system), system 300 can be configuredsuch that the authoritative data store is controlling.

System 300 can further include a replication system 343. Replicationsystem 343 can include one or more replication processors configured toidentify new or modified data, to identify one or more data storesand/or location at which to store the new or modified data and/or tocoordinate replication of the data. In some instances, one or more ofthese identifications and/or coordination can be performed using areplication rule. For example, a replication rule may indicate thatreplication is to be performed in a manner biased towards storingreplicated data at a data store geographically separated from anotherdata store storing the data.

A data duplicator can be configured to read stored data and generate oneor more write commands so as to store the data at a different datastore. A controller can manage transmitting write commands appropriatelyso as to facilitate storing replicated data at identified data stores.Further, a controller can manage data stores, such as a distributedmemory or distributed shared memory, to ensure that a currently activeset of data stores includes a target number of replications of data.

Accordingly, web-server system 318 can interact with user device 310 toidentify available access rights and to collect information needed toassign an access right. Web-server system 318 can interact with SQLsystem 341 so as to retrieve data about particular resources and/oraccess rights so as to configure web data (e.g., via dynamic webpages orscripts) to reflect accurate or semi-accurate information and/orstatuses. SQL system 341 can use relational data stores to quicklyprovide such data. Meanwhile, catalog system 342 may manage one or morenon-relational and/or more comprehensive data stores may be tasked withmore reliably and quickly tracking access-right statuses andassignments. The tracking may include receiving status updates (e.g.,via a push or pull protocol) from one or more intermediate systemsand/or by detecting assignment updates from non-intermediate systems,such as an integrated access assignment system and/or SQL system 341.Catalog system 342 may provide condensed status updates (e.g.,reflecting a binary indication as to whether an access right isavailable) to SQL system 341 periodically, at triggered times and/or inresponse to a request from the SQL system. A replication system 343 canfurther ensure that data is replicated at multiple data stores, so as toimprove a reliability and speed of system 300.

It will be appreciated that various parts of system 300 can begeographically separated. For example, each of user device 310,intermediate system 330, web-server system 318, SQL system 341, catalogsystem 342 and replication 343 may be located in different geographiclocations (e.g., different cities, states or countries).

FIG. 4 illustrates example components of a device 400, such as a clientdevice (e.g., client agent device 140, client register 150 and/or clientpoint device 160), an intermediate system (e.g., intermediate system130) and/or an access management system (e.g., access management system120) according to an embodiment of the invention.

The components can include one or more modules that can be installed ondevice 400. Modules can include some or all of the following: a networkinterface module 402 (which can operate in a link layer of a protocolstack), a message processor module 404 (which can operate in an IP layerof a protocol stack), a communications manager module 406 (which canoperate in a transport layer of a protocol stack), a communicationsconfigure module 408 (which can operate in a transport and/or IP layerin a protocol stack), a communications rules provider module 410 (whichcan operate in a transport and/or IP layer in a protocol stack),application modules 412 (which can operate in an application layer of aprotocol stack), a physical access control module 432 and one or moreenvironmental sensors 434.

Network interface module 402 receives and transmits messages via one ormore hardware components that provide a link-layer interconnect. Thehardware component(s) can include, for example, RF antenna 403 or a port(e.g., Ethernet port) and supporting circuitry. In some embodiments,network interface module 402 can be configured to support wirelesscommunication, e.g., using Wi Fi (IEEE 802.11 family standards),Bluetooth® (a family of standards promulgated by Bluetooth SIG, Inc.),BLE, or near-field communication (implementing the ISO/IEC 18092standards or the like).

RF antenna 403 can be configured to convert electric signals into radioand/or magnetic signals (e.g., to radio waves) to transmit to anotherdevice and/or to receive radio and/or magnetic signals and convert themto electric signals. RF antenna 403 can be tuned to operate within aparticular frequency band. In some instances, a device includes multipleantennas, and the antennas can be, for example, physically separated. Insome instances, antennas differ with respect to radiation patterns,polarizations, take-off angle gain and/or tuning bands. RF interfacemodule 402 can include one or more phase shifters, filters, attenuators,amplifiers, switches and/or other components to demodulate receivedsignals, coordinate signal transmission and/or facilitate high-qualitysignal transmission and receipt.

In some instances, network interface module 402 includes a virtualnetwork interface, so as to enable the device to utilize an intermediatedevice for signal transmission or reception. For example, networkinterface module 402 can include VPN software.

Network interface module 402 and one or more antennas 403 can beconfigured to transmit and receive signals over one or more connectiontypes. For example, network interface module 402 and one or moreantennas 403 can be configured to transmit and receive WiFi signals,cellular signals, Bluetooth signals, Bluetooth Low Energy (BLE) signals,Zigbee signals, or Near-Field Communication (NFC) signals.

Message processor module 404 can coordinate communication with otherelectronic devices or systems, such as one or more servers or a userdevice. In one instance, message processor module 404 is able tocommunicate using a plurality of protocols (e.g., any known, futureand/or convenient protocol such as, but not limited to, XML, SMS, MMS,and/or email, etc.). Message processor module 404 may further optionallyserialize incoming and/or outgoing messages and facilitate queuing ofincoming and outgoing message traffic.

Message processor module 404 can perform functions of an IP layer in anetwork protocol stack. For example, in some instances, messageprocessor module 404 can format data packets or segments, combine datapacket fragments, fragment data packets and/or identify destinationapplications and/or device addresses. For example, message processormodule 404 can defragment and analyze an incoming message to determinewhether it is to be forwarded to another device and, if so, can addressand fragment the message before sending it to the network interfacemodule 402 to be transmitted. As another example, message processormodule 404 can defragment and analyze an incoming message to identify adestination application that is to receive the message and can thendirect the message (e.g., via a transport layer) to the application.

Communications manager module 406 can implement transport-layerfunctions. For example, communications manager module 406 can identify atransport protocol for an outgoing message (e.g., transmission controlprotocol (TCP) or user diagram protocol (UDP)) and appropriatelyencapsulate the message into transport protocol data units. Messageprocessor module 404 can initiate establishment of connections betweendevices, monitor transmissions failures, control data transmission ratesand monitoring transmission quality. As another example, communicationsmanager module 406 can read a header of an incoming message to identifyan application layer protocol to receive the message's data. The datacan be separated from the header and sent to the appropriateapplication. Message processor module 404 can also monitor the qualityof incoming messages and/or detect out of order incoming packets.

In some instances, characteristics of message-receipt ormessage-transmission quality can be used to identify a health status ofan established communications link. In some instances, communicationsmanager module 406 can be configured to detect signals indicating thehealth status of an established communications link (e.g., a periodicsignal from the other device system, which if received without dropouts,indicates a healthy link).

In some instances, a communication configurer module 408 is provided totrack attributes of another system so as to facilitate establishment ofa communication session. In one embodiment, communication configurermodule 408 further ensures that inter-device communications areconducted in accordance with the identified communication attributesand/or rules. Communication configurer module 408 can maintain anupdated record of the communication attributes of one or more devices orsystems. In one embodiment, communications configurer module 408 ensuresthat communications manager module 406 can deliver the payload providedby message processor module 404 to the destination (e.g., by ensuringthat the correct protocol corresponding to the client system is used).

A communications rules provider module 410 can implement one or morecommunication rules that relate to details of signal transmissions orreceipt. For example, a rule may specify or constrain a protocol to beused, a transmission time, a type of link or connection to be used, adestination device, and/or a number of destination devices. A rule maybe generally applicable or conditionally applicable (e.g., only applyingfor messages corresponding to a particular app, during a particular timeof day, while a device is in a particular geographical region, when ausage of a local device resource exceeds a threshold, etc.). Forexample, a rule can identify a technique for selecting between a set ofpotential destination devices based on attributes of the set ofpotential destination devices as tracked by communication configuremodule 408. To illustrate, a device having a short response latency maybe selected as a destination device. As another example, communicationsrules provider 410 can maintain associations between various devices orsystems and resources. Thus, messages corresponding to particularresources can be selectively transmitted to destinations having accessto such resources.

A variety of application modules 412 can be configured to initiatemessage transmission, process incoming transmissions, facilitateselective granting of resource access, facilitate processing of requestsfor resource access, and/or performing other functions. In the instancedepicted in FIG. 4, application modules 412 include an auto-updatermodule 414, a resource access coordinator module 416, and/or a codeverification module 418.

Auto-updater module 414 automatically updates stored data and/or agentsoftware based on recent changes to resource utilization, availabilityor schedules and/or updates to software or protocols. Such updates canbe pushed from another device (e.g., upon detecting a change in aresource availability or access permit) or can be received in responseto a request sent by device 400. For example, device 400 can transmit asignal to another device that identifies a particular resource, and aresponsive signal can identify availabilities of access to the resource.As another example, device 400 can transmit a signal that includes anaccess access-enabling code, and a responsive signal can indicatewhether the code is applicable for access of a particular resourceand/or is valid.

In some instances, auto-updater module 414 is configured to enable theagent software to understand new, messages, commands, and/or protocols,based on a system configuration/change initiated on another device.Auto-updater module 414 may also install new or updated software toprovide support and/or enhancements, based on a system configurationchange detected on device 400. System configuration changes that wouldnecessitate changes to the agent software can include, but are notlimited to, a software/hardware upgrade, a security upgrade, a routerconfiguration change, a change in security settings, etc. For example,if auto-updater module 414 determines that a communication link withanother device has been lost for a pre-determined amount of time,auto-updater module 414 can obtain system configuration information tohelp re-establish the communication link. Such information may includenew settings/configurations on one or more hardware devices or new orupgraded software on or connected to device 400. Thus, auto-updatermodule 414 can detect or be informed by other software when there is anew version of agent software with additional functionality and/ordeficiency/bug corrections or when there is a change with respect to thesoftware, hardware, communications channel, etc.), and perform updatesaccordingly.

Based on the newly obtained system configuration for device 400,auto-updater module 414 can cause a new communication link to bere-established with another device. In one embodiment, uponestablishment of the communication link, system configurationinformation about device 400 can also be provided to another device tofacilitate the connection to or downloading of software to device 400.

In one embodiment, when a poor health signal is detected by anotherdevice (e.g., when the health signal is only sporadically received butthe communication link is not necessarily lost), the other device cansend a command to auto-updater module 414 to instruct auto-updatermodule 414 to obtain system configuration information about device 400.The updated system configuration information may be used in an attemptto revive the unhealthy communications link (e.g., by resending aresource request). For example, code can utilize appropriate systemcalls for the operating system to fix or reestablish communications. Byway of example and not limitation, model and driver information isoptionally obtained for routers in the system in order querying them. Byway of further example, if the code determines that a new brand ofrouter has been installed, it can adapt to that change, or to the changein network configuration, or other changes.

Instead or in addition, the host server (e.g., via communicationsmanager 406) can send specific instructions to auto-updater module 414to specify tests or checks to be performed on device 400 to determinethe changes to the system configurations (e.g., by automaticallyperforming or requesting a check of system hardware and/or software).For example, the components involved in the chain of hops through anetwork can be queried and analyzed. Thus, for example, if a new ISP(Internet service provider) is being used and the management systemtraffic is being filtered, or a new router was installed and thesoftware needs to change its configuration, or if someone made a changeto the operating system that affects port the management system is usingto communicate, the management system (or operator) can communicate withthe ISP, change it back, or choose from a new available port,respectively.

The specific tests may be necessary to help establish the communicationlink, if, for example, the automatic tests fail to provide sufficientinformation for the communication link to be re-established, ifadditional information is needed about a particular configurationchange, and/or if the client system is not initially supported by theauto-updater module 414, etc.

Auto-updater module 414 can also receive signals identifying updatespertaining to current or future availability of resources and/or accesspermits. Based on the signals, auto-updater module 414 can modify, addto or delete stored data pertaining to resource availabilities, resourceschedules and/or valid access permits. For example, upon receiving anupdate signal, auto-updater 414 can modify data stored in one or moredata stores 422, such as a profile data store 424, resourcespecification data store 426, resource status data store 428 and/oraccess-enabling code data store 430.

Profile data store 424 can store data for entities, such asadministrators, intermediate-system agents and/or users. The profiledata can include login information (e.g., username and password),identifying information (e.g., name, residential address, phone number,email address, age and/or gender), professional information (e.g.,occupation, affiliation and/or professional position), and preferences(e.g., regarding resource types, entities, access right locations,and/or resource types). The profile data can also or alternativelyinclude technical data, such a particular entity can be associated withone or more device types, IP addresses, browser identifier and/oroperating system identifier).

Resource specification data store 426 can store specification datacharacterizing each of one or more resources. For example, specificationdata for a resource can include a processing power, available memory,operating system, compatibility, device type, processor usage, powerstatus, device model, number of processor cores, types of memories, dateand time of availability, a resource entity, and/or a spatial region ofthe resource. Specification data can further identify, for example, acost for each of one or more access rights.

Resource status data store 428 can store status data reflecting whichresources are available (or unavailable), thereby indicating whichresources have one or more open assignments. In some instances, thestatus data can include schedule information about when a resource isavailable. Status data can include information identifying an entity whorequested, automatically and/or tentatively assigned or was assigned aresource. In some instances, status information can indicate that aresource is being held or automatically and/or tentatively assigned andmay identify an entity associated with the hold and/or a time at whichthe hold or reservation will be enabled to be queried.

Access-enabling code data store 430 can store access-enabling code datathat includes one or more codes and/or other information that can beused to indicate that an entity is authorized to use, have or receive aresource. An access-enabling code can include, for example, a numericstring, an alphanumeric string, a text string, a 1-dimensional code, a2-dimensional code, a barcode, a quick response (QR) code, an image, astatic code and/or a temporally dynamic code. An access-enabling codecan be, for example, unique across all instances, resource types and/orentities. For example, access-enabling codes provided in association foraccess rights to a particular resource can be unique relative to eachother. In some instances, at least part of a code identifies a resourceor specification of a resource.

One or more of data stores 424, 426, 428, and 430 can be a relationaldata store, such that elements in one data store can be referencedwithin another data store. For example, resource status data store 428can associate an identifier of a particular access right with anidentifier of a particular entity. Additional information about theentity can then be retrieved by looking up the entity identifier inprofile data store 424.

Updates to data stores 424, 426, 428, and 430 facilitated and/orinitiated by auto-updater module 414 can improve cross-device dataconsistency. Resource access coordinator module 416 can coordinateresource access by, for example, generating and distributingidentifications of resource availabilities; processing requests forresource access; handling competing requests for resource access; and/orreceiving and responding to resource-offering objectives.

FIG. 5 illustrates example components of resource access coordinatormodule 416 that may operate, at least in part, at an access managementsystem (e.g., access management system) according to an embodiment ofthe present disclosure. A resource specification engine 502 can identifyone or more available resources. For example, resource specificationengine 502 can detect input that identifies a current or futureavailability of a new resource.

Resource specification engine 502 can identify one or morespecifications of each of one or more resources. A specification caninclude an availability time period. For example, resource specificationengine 502 can determine that a resource is available, for example, at aparticular date and time (e.g., as identified based on input), for atime period (e.g., a start to end time), as identified in the input,and/or from a time of initial identification until another inputindicating that the resource is unavailable is detected. A specificationcan also or alternatively include a location (e.g., a geographiclocation and/or spatial region) of the resource. A specification canalso or alternatively include one or more parties associated with theresource. Resource specification engine 502 can store the specificationsin association with an identifier of the resource in resourcespecifications data store 426.

A resource-access allocation engine 504 can allocate access rights forindividual resources. An access right can serve to provide an associatedentity with the right or a priority to access a resource. Because (forexample) association of an access right with an entity can, in someinstances, be conditioned on one or more steps of an assignment processor authorization thereof, an allocated access right can be initiallyunassociated with particular entities (e.g., users). For example, anallocated right can correspond to one or more access characteristics,such as an processor identifier, a usage time, a memory allocation,and/or a geographic location. For an allocated access right,resource-access allocation engine 504 can store an identifier of theright in resource statuses data store 428 in association with anidentifier for the resource and an indication that it has not yet beenassigned to a particular entity.

A communication engine 506 can facilitate communicating the availabilityof the resource access rights to users. In some instances, a publisherengine 508 generates a presentation that identifies a resource andindicates that access rights are available. Initially or in response touser interaction with the presentation, the presentation can identifyaccess characteristics about available access rights. The presentationcan include, for example, a chart that identifies available accessrights for an event. Publisher engine 508 can distribute thepresentation via, for example, a website, app page, email and/ormessage. The presentation can be further configured to enable a user torequest assignments of one or more access rights.

In some instances, an intermediate system coordination engine 510 canfacilitate transmission of information about resource availability(e.g., resource specifications and characteristics of resource-accessrights) to one or more intermediate systems (e.g., by generating one ormore messages that include such information and/or facilitatingpublishing such information via a website or app page). Each of the oneor more intermediate systems can publish information about the resourceand accept requests for resource access. In some instances, intermediatesystem coordination engine 510 identifies different access rights asbeing available to individual intermediate systems to coordinateassignment. For example, access rights for Section 1 may be provided fora first intermediate system to assign, and access rights for Section 2may be provided to a second intermediate system to assign.

In some instances, overlapping access rights are made available tomultiple intermediate systems to coordinate assignments. For example,some or all of a first set of resource rights (e.g., corresponding to asection) may be provided to first and second intermediate systems. Insuch instances, intermediate system coordination engine 510 can respondto a communication from a first intermediate system indicating that arequest has been received (e.g., and processed) for an access right inthe set) by sending a notification to one or more other intermediatesystems that indicates that the access right is to be at leasttemporarily (or entirely) made unavailable.

Intermediate system coordination engine 510 can monitor communicationchannels with intermediate systems to track the health and security ofthe channel. For example, a healthy connection can be inferred whenscheduled signals are consistently received. Further, intermediatesystem coordination engine 510 can track configurations of intermediatesystems (e.g., via communications generated at the intermediate systemsvia a software agent that identifies such configurations) so as toinfluence code generation, communication format, and/or provisions oraccess rights.

Thus, either via a presentation facilitated by publisher engine 508(e.g., via a web site or app page) or via communication with anintermediate system, a request for assignment of an access right can bereceived. A request management engine 512 can process the request.Processing the request can include determining whether all otherrequired information has been received, such as user-identifyinginformation (e.g., name), access-right identifying information (e.g.,identifying a resource and/or access-right characteristic) user contactinformation, and/or user device information (e.g., type of device,device identifier, and/or IP address).

When all required information has not been received, request managementengine 512 can facilitate collection of the information (e.g., via aninterface, app page or communication to an intermediate system). Requestmanagement engine 512 can also or alternatively execute or facilitatethe execution of the assignment process, which includes one or moresteps for completing an assignment of an access right to a user deviceor user profile. For example, publisher engine 508 may receive datainputted by the user via an interface, and request management engine 512can request authorization to complete the assignment process. In someinstances, request management engine 512 retrieves data from a userprofile.

For example, publisher engine 508 may indicate that a request for anaccess right has been received while a user was logged into a particularprofile. Request management engine 512 may then retrieve, for example,contact information, device information, and/or preferences informationassociated with the profile from profile data store 424.

In some instances, request management engine 512 prioritizes requests,such as requests for overlapping, similar or same access rights receivedwithin a defined time period. The prioritization can be based on, forexample, times at which requests were received (e.g., prioritizingearlier requests), a request parameter (e.g., prioritizing requests fora higher or lower number of access rights above others), whetherrequests were received via an intermediate system (e.g., prioritizingsuch requests lower than others), intermediate systems associated withrequests, whether requests were associated with users having establishedprofiles, and/or whether requests were associated with inputs indicativeof a bot initiating the request (e.g., shorter inter-click intervals,failed CAPTCHA tests).

Upon determining that required information has been received andrequest-processing conditions have been met, request management engine512 can forward appropriate request information to a resource schedulingengine 514. For a request, resource scheduling engine 514 can queryresource status data store 428 to identify access rights matchingparameters of the request.

In some instances, the request has an access-right specificity matchinga specificity at which access rights are assigned. In some instances,the request is less specific, and resource scheduling engine 514 canthen facilitate an identification of particular rights to assign. Forexample, request management engine 512 can facilitate a communicationexchange by which access right characteristics matching the request areidentified, and a user is allowed to select particular rights. Asanother example, request management engine 512 can itself select fromamongst matching access rights based on a defined criterion (e.g., bestsummed or averaged access-right ranking, pseudo-random selection, or aselection technique identified based on user input).

Upon identifying appropriately specific access rights, resourcescheduling engine 514 can update resource status data store 428 so as toplace the access right(s) on hold (e.g., while obtaining userconfirmation) and/or to change a status of the access right(s) toindicate that they have been assigned (e.g., immediately, uponcompleting an assignment process or upon receiving user confirmation).Such assignment indication may associate information about the user(e.g., user name, device information, phone number and/or email address)and/or assignment process (e.g., identifier of any intermediate systemand/or assignment date and time) with an identifier of the accessright(s).

For individual assigned access rights, an encoding engine 516 cangenerate an access-enabling code. The access-enabling code can include,for example, an alphanumeric string, a text string, a number, a graphic,a code (e.g., a 1-dimensional or 2-dimensional code), a static code, adynamic code (e.g., with a feature depending on a current time, currentlocation or communication) and/or a technique for generating the code(e.g., whereby part of the code may be static and part of the code maybe determined using the technique). The code may be unique across allaccess rights, all access rights for a given resource, all access rightsassociated with a given location, all access rights associated with agiven time period, all resources and/or all users. In some instances, atleast part of the code is determined based on or is thereafterassociated with an identifier of a user, user device information, aresource specification and/or an access right characteristic.

In various embodiments, the code may be generated prior to allocatingaccess rights (e.g., such that each of some or all allocated accessrights are associated with an access-enabling code), prior to or whileassigning one or more access right(s) responsive to a request (e.g.,such that each of some or all assigned access rights are associated withan access-enabling code), at a prescribed time, and/or when the deviceis at a defined location and/or in response to user input. The code maybe stored at or availed to a user device. In various instances, at theuser device, an access-enabling code may be provided in a manner suchthat it is visibly available for user inspection or concealed from auser. For example, a physical manifestation of an access right may be adocument with an access code, and a copy of this document may betransmitted to a user device, or an app on the user device can transmita request with a device identifier for a dynamic code.

Encoding engine 516 can store the access-enabling codes inaccess-enabling code data store 430. Encoding engine 516 can also oralternatively store an indication in profile data store 424 that theaccess right(s) have been assigned to the user. It will again beappreciated that data stores 424, 426, 428, and 430 can be relationaland/or linked, such that, for example, an identification of anassignment can be used to identify one or more access rights, associatedaccess-enabling code(s) and/or resource specifications.

Resource scheduling engine 514 can facilitate one or more transmissionsof data pertaining to one or more assigned access rights to a device ofa user associated with the assignment and/or to an intermediate systemfacilitating the assignment and/or having transmitted a correspondingassignment request. The data can include an indication that accessrights have been assigned and/or details as to which rights have beenassigned. The data can also or alternatively include access-enablingcodes associated with assigned access rights.

While FIG. 5 depicts components of resource access coordinator module516 that may be present on an access management system 120, it will beappreciated that similar or complementary engines may be present onother systems. For example, a communication engine on a user device canbe configured to display presentations identifying access rightavailability, and a request management engine on a user device can beconfigured to translate inputs into access-right requests to send to anintermediate system or access management system.

Returning to FIG. 4, code verification module 418 (e.g., at a userdevice or client device) can analyze data to determine whether anaccess-enabling code is generally valid and/or valid for a particularcircumstance. The access-enabling code can include one that is receivedat or detected by device 400. The analysis can include, for example,determining whether all or part of the access-enabling code matches onestored in access-enabling code data store 430 or part thereof, whetherthe access-enabling code has previously been applied, whether all orpart of the access-enabling code is consistent with itself or otherinformation (e.g., one or more particular resource specifications, acurrent time and/or a detected location) as determined based on aconsistency analysis and/or whether all or part of the access-enablingcode has an acceptable format.

For example, access-enabling code data store 430 can be organized in amanner such that access-enabling codes for a particular resource, date,resource group, client, etc. can be queried to determine whether anysuch access-enabling codes correspond to (e.g. match) one beingevaluated, which may indicate that the code is verified. Additionalinformation associated with the code may also or alternatively beevaluated. For example, the additional information can indicate whetherthe code is currently valid or expired (e.g., due to a previous use ofthe code).

As another example, a portion of an access-enabling code can include anidentifier of a user device or user profile, and code verificationmodule 418 can determine whether the code-identified device or profilematches that detected as part of the evaluation.

To illustrate, device 400 can be a client device that electronicallyreceives a communication with an access-enabling code from a userdevice. The communication can further include a device identifier thatidentifies, for example, that the user device is a particular type ofsmartphone. Code verification module 418 can then determine whetherdevice-identifying information in the code is consistent with theidentified type of smartphone.

As yet another example, code verification module 418 can identify a codeformat rule that specifies a format that valid codes are to have. Toillustrate, the code format rule may identify a number of elements thatare to be included in the code or a pattern that is to be present in thecode. Code verification module 418 can then determine that a code is notvalid if it does not conform to the format.

Verification of an access-enabling code can indicate that access to aresource is to be granted. Conversely, determining that a code is notverified can indicate that access to a resource is to be limited orprevented. In some instances, a presentation is generated (e.g., andpresented) that indicates whether access is to be granted and/or aresult of a verification analysis. In some instances, access grantingand/or limiting is automatically affected. For example, upon a codeverification, a user device and/or user may be automatically permittedto access a particular resource. Accessing a resource may include, forexample, using a computational resource, possessing an item, receiving aservice, entering a geographical area, and/or attending an event (e.g.,generally or at a particular location).

Verification of an access-enabling code can further trigger amodification to access-enabling code data store 430. For example, a codethat has been verified can be removed from the data store or associatedwith a new status. This modification may limit attempts to use a samecode multiple times for resource access.

A combination of modules 414, 416, 418 comprise a secure addressableendpoint agent 420 that acts as an adapter and enables cross-deviceinterfacing in a secure and reliable manner so as to facilitateallocation of access-enabling codes and coordinate resource access.Secure addressable endpoint agent 420 can further generate a healthsignal that is transmitted to another device for monitoring of a statusof a communication channel. The health signal is optionally a shortmessage of a few bytes or many bytes in length that may be transmittedon a frequent basis (e.g., every few milliseconds or seconds). Acommunications manager 406 on the receiving device can then monitors thehealth signal provided by the agent to ensure that the communicationlink between the host server and device 400 is still operational.

In some instances, device 400 can include (or can be in communicationwith) a physical access control 432. Physical access control 432 caninclude a gating component that can be configured to provide a physicalbarrier towards accessing a resource. For example, physical accesscontrol 432 can include a turnstile or a packaging lock.

Physical access control 432 can be configured such that it can switchbetween two modes, which differ in terms of a degree to which useraccess to a resource is permitted. For example, a turnstile may have alocked mode that prevents movement of an arm of the turnstile and anunlocked mode that allows the arm to be rotated. In some instances, adefault mode is the mode that is more limiting in terms of access.

Physical access control 432 can switch its mode in response to receivingparticular results from code verification module 418. For example, uponreceiving an indication that a code has been verified, physical accesscontrol 432 can switch from a locked mode to an unlocked mode. It mayremain in the changed state for a defined period of time or until anaction or event is detected (e.g., rotation of an arm).

Device 400 can also include one or more environmental sensors 434.

Measurements from the sensor can processed by one or more applicationmodules. Environmental sensor(s) 434 can include a global positioningsystem (GPS) receiver 435 that can receive signals from one or more GPSsatellites. A GPS chipset can use the signals to estimate a location ofdevice 400 (e.g., a longitude and latitude of device 400). The estimatedlocation can be used to identify a particular resource (e.g., one beingoffered at or near the location at a current or near-term time). Theidentification of the particular resource can be used, for example, toidentify a corresponding (e.g., user-associated) access-enabling code orto evaluate an access-enabling code (e.g., to determine whether itcorresponds to a resource associated with the location).

The estimated location can further or alternatively be used to determinewhen to perform a particular function. For example, at a user device,detecting that the device is in or has entered a particular geographicalregion (e.g., is within a threshold distance from a geofence perimeteror entrance gate) can cause the device to retrieve or request anaccess-enabling code, conduct a verification analysis of the code and/ortransmit the code to a client device.

It will be appreciated that environmental sensor(s) 434 can include oneor more additional or alternative sensors aside from GPS receiver 435.For example, a location of device 400 can be estimated based on signalsreceived by another receive from different sources (e.g., base stations,client point devices or Wi Fi access points). As another example, anaccelerometer and/or gyroscope can be provided. Data from these sensorscan be used to infer when a user is attempting to present anaccess-enabling code for evaluation.

It will also be appreciated that the components and/or engines depictedin figures herein are illustrative, and a device need not include eachdepicted component and/or engine and/or can include one or moreadditional components and/or engines. For example, a device can alsoinclude a user interface, which may include a touch sensor, keyboard,display, camera and/or speakers. As another example, a device caninclude a power component, which can distribute power to components ofthe device. The power component can include a battery and/or aconnection component for connecting to a power source. As yet anotherexample, a module in the application layer can include an operatingsystem. As still another example, an application-layer control processormodule can provide message processing for messages received from anotherdevice. The message processing can include classifying the message androuting it to the appropriate module. To illustrate, the message can beclassified as a request for resource access or for an access-enablingcode, an update message or an indication that a code has been redeemedor verified. The message processing module can further convert a messageor command into a format that can interoperate with a target module.

It will further be appreciated that the components, modules and/oragents could be implemented in one or more instances of software. Thefunctionalities described herein need not be implemented in separatemodules, for example, one or more functions can be implemented in onesoftware instance and/or one software/hardware combination. Othercombinations are similarly be contemplated.

Further yet, it will be appreciated that a storage medium (e.g., usingmagnetic storage media, flash memory, other semiconductor memory (e.g.,DRAM, SRAM), or any other non-transitory storage medium, or acombination of media, and can include volatile and/or non-volatilemedia) can be used to store program code for each of one or more of thecomponents, modules and/or engines depicted in FIGS. 4 and 5 and/or tostore any or all data stores depicted in FIG. 4 or described withreference to FIGS. 4 and/or 5. Any device or system disclosed herein caninclude a processing subsystem for executing the code. The processingsystem can be implemented as one or more integrated circuits, e.g., oneor more single-core or multi-core microprocessors or microcontrollers,examples of which are known in the art.

FIG. 6 illustrates a flowchart of an embodiment of a process 600 forassigning access rights for resources. Process 600 can be performed byan access management system, such as access management system 120.Process 600 begins at block 605 where resource specification engine 502identifies one or more specifications for a resource. The specificationscan include, for example, a time at which the resource is to beavailable, a location of the resource, a capacity of the resourcesand/or one or more entities (e.g., performing entities) associated withthe resource.

At block 610, resource-access allocation engine 504 allocates a set ofaccess rights for the resource. In some instances, each of at least someof the access rights corresponds to a different access parameter, suchas a different location assignment. Upon allocation, each of some or allof the access rights may have a status as available. A subset of the setof access rights can be immediately (or at a defined time) assigned orreserved according to a base assignment or reservation rule (e.g.,assigning particular access rights to particular entities, who may beinvolved in or related to provision of the resource and/or who haverequested or been assigned a set of related access rights.

At block 615, communication engine 506 transmits the resourcespecifications and data about the access rights. The transmission canoccur in one or more transmissions.

The transmission can be to, for example, one or more user devices and/orintermediate systems. In some instances, a notification including thespecifications and access-right data is transmitted, and in someinstances, a notification can be generated at a receiving device basedon the specifications and access-right data. The notification caninclude, for example, a website that identifies a resource (via, atleast in part, its specifications) and indicates that access rights forthe resource are available for assignment. The notification can includean option to request assignment of one or more access rights.

At block 620, request management engine 512 receives a request for oneor more access rights to be assigned to a user. The request can, forexample, identify particular access rights and/or access parameters. Therequest can include or be accompanied by other information, such asidentifying information. In some instances, the access management systemcan use at least some of such information to determine whether anassignment process has been completed. In some instances, the request isreceived via an intermediate system that has already handled suchauthorization.

At block 625, resource scheduling engine 514 assigns the requested oneor more access rights to the user. The assignment can be conditioned onreceipt of all required information, confirmation that the accessright(s) have remained available for assignment, determining using datacorresponding to the request that a bot-detection condition is notsatisfied and/or other defined conditions. Assignment of the accessright(s) can include associating an identifier of each of the one ormore rights with an identifier of a user and/or assignment and/orchanging a status of the access right(s) to assigned. Assignment of theaccess right(s) can result in impeding or preventing other users fromrequesting the access right(s), being assigned the access right(s)and/or being notified that the access right(s) are available forassignment. Assignment of the access right(s) can, in some instances,trigger transmission of one or more communications to, for example, oneor more intermediate systems identifying the access right(s) andindicating that they have been assigned and/or with an instruction tocease offering the access rights.

At block 630, encoding engine 516 generates an access-enabling code foreach of the one or more access rights. The code can be generated, forexample, as part of the assignment, as part of the allocation orsubsequent to the assignment (e.g., upon detecting that a user isrequesting access to the resource). Generating an access-enabling codecan include applying a code-generation technique, such on one thatgenerates a code based on a characteristic of a user, user device,current time, access right, resource, intermediate system or othervariable. The access-enabling code can include a static code that willnot change after it has been initially generated or a dynamic code thatchanges in time (e.g., such that block 630 can be repeated at varioustime points).

At block 635, communication engine 506 transmits a confirmation of theassignment and the access-enabling code(s) in one or more transmissions.The transmission(s) may be sent to one or more devices, such as a userdevice having initiated the request from block 620, a remote server oran intermediate system having relayed the request from block 620.

Referring to FIG. 7A, an embodiment of a site system 180 is shown inrelation to mobile devices 724-n, Network Attached Storage (NAS) 750,site network 716 and the Internet 728. In some embodiments, for userslocated within the spatial region of the resource, site network 716 andsite system 180 provide content, services and/or interactive engagementusing mobile devices 724. Connections to site system 180 and sitenetwork 716 can be established by mobile devices 724 connecting toaccess points 720. Mobile devices 724 can be a type of end user device110 that is portable, e.g., smartphones, mobile phones, tablets, and/orother similar devices.

Site network 716 can have access to content (information about theresource, videos, images, etc.) held by NAS 750. Additionally, asdescribed herein, content can be gathered from users both before andduring the time period the resource is accessible. By connecting to sitenetwork 716, mobile device 724 can send content for use by site system180 or display content received from NAS 750.

Referring to FIG. 7B, another embodiment of a site system 180 is shownin relation to mobile devices 724-n, Network Attached Storage (NAS) 750,site network 716 and the Internet 728, in an embodiment. FIG. 7Badditionally includes phone switch 740. In some embodiments, phoneswitch 740 can be a private cellular base station configured to spoofthe operation of conventionally operated base stations. Using phoneswitch 740 at an event site allows site system 180 to provide additionaltypes of interactions with mobile devices 724. For example, without anysetup or configuration to accept communications from site controller712, phone switch 740 can cause connected mobile devices 724 to ringand, when answered, have an audio or video call be established. Whenused with other embodiments described herein, phone switch 740 canprovide additional interactions. For example, some embodiments describedherein use different capabilities of mobile devices 724 to cause masssounds and/or establish communications with two or more people. Bycausing phones to ring and by establishing cellular calls, phone switchcan provide additional capabilities to these approaches.

FIG. 8 shows a block diagram of user device 110 according to anembodiment. User device 110 includes a handheld controller 810 that canbe sized and shaped so as enable the controller and user device 110 in ahand. Handheld controller 810 can include one or more user-deviceprocessors that can be configured to perform actions as describedherein. In some instances, such actions can include retrieving andimplementing a rule, retrieving an access-enabling code, generating acommunication (e.g., including an access-enabling code) to betransmitted to another device (e.g., a nearby client-associated device,a remote device, a central server, a web server, etc.), processing areceived communication (e.g., to perform an action in accordance with aninstruction in the communication, to generate a presentation based ondata in the communication, or to generate a response communication thatincludes data requested in the received communication) and so on.

Handheld controller 810 can communicate with a storage controller 820 soas to facilitate local storage and/or retrieval of data. It will beappreciated that handheld controller 810 can further facilitate storageand/or retrieval of data at a remote source via generation ofcommunications including the data (e.g., with a storage instruction)and/or requesting particular data.

Storage controller 820 can be configured to write and/or read data fromone or more data stores, such as an application storage 822 and/or auser storage 824. The one or more data stores can include, for example,a random access memory (RAM), dynamic random access memory (DRAM),read-only memory (ROM), flash-ROM, cache, storage chip, and/or removablememory. Application storage 822 can include various types of applicationdata for each of one or more applications loaded (e.g., downloaded orpre-installed) onto user device 110. For example, application data caninclude application code, settings, profile data, databases, sessiondata, history, cookies and/or cache data. User storage 824 can include,for example, files, documents, images, videos, voice recordings and/oraudio. It will be appreciated that user device 110 can also includeother types of storage and/or stored data, such as code, files and datafor an operating system configured for execution on user device 110.

Handheld controller 810 can also receive and process (e.g., inaccordance with code or instructions generated in correspondence to aparticular application) data from one or more sensors and/or detectionengines. The one or more sensors and/or detection engines can beconfigured to, for example, detect a presence, intensity and/or identifyof (for example) another device (e.g., a nearby device or devicedetectable over a particular type of network, such as a Bluetooth,Bluetooth Low-Energy or Near-Field Communication network); anenvironmental, external stimulus (e.g., temperature, water, light,motion or humidity); an internal stimulus (e.g., temperature); a deviceperformance (e.g., processor or memory usage); and/or a networkconnection (e.g., to indicate whether a particular type of connection isavailable, a network strength and/or a network reliability).

FIG. 8 shows several exemplary sensors and detection engines, includinga peer monitor 830, accelerometer 832, gyroscope 834, light sensor 836and location engine 838. Each sensor and/or detection engine can beconfigured to collect a measurement or make a determination, forexample, at routine intervals or times and/or upon receiving acorresponding request (e.g., from a processor executing an applicationcode).

Peer monitor 830 can monitor communications, networks, radio signals,short-range signals, etc., which can be received by a receiver of userdevice 110) Peer monitor 830 can, for example, detect a short-rangecommunication from another device and/or use a network multicast orbroadcast to request identification of nearby devices. Upon or whiledetecting another device, peer monitor 830 can determine an identifier,device type, associated user, network capabilities, operating systemand/or authorization associated with the device. Peer monitor 530 canmaintain and update a data structure to store a location, identifierand/or characteristic of each of one or more nearby user devices.

Accelerometer 832 can be configured to detect a proper acceleration ofuser device 110. The acceleration may include multiple componentsassociated with various axes and/or a total acceleration. Gyroscope 834can be configured to detect one or more orientations (e.g., viadetection of angular velocity) of user device 110. Gyroscope 834 caninclude, for example, one or more spinning wheels or discs, single- ormulti-axis (e.g., three-axis) MEMS-based gyroscopes.

Light sensor 836 can include, for example, a photosensor, such asphotodiode, active-pixel sensor, LED, photoresistor, or other componentconfigured to detect a presence, intensity and/or type of light. In someinstances, the one or more sensors and detection engines can include amotion detector, which can be configured to detect motion. Such motiondetection can include processing data from one or more light sensors(e.g., and performing a temporal and/or differential analysis).

Location engine 838 can be configured to detect (e.g., estimate) alocation of user device 110. For example, location engine 838 can beconfigured to process signals (e.g., a wireless signal, GPS satellitesignal, cell-tower signal, iBeacon, or base-station signal) received atone or more receivers (e.g., a wireless-signal receiver and/or GPSreceiver) from a source (e.g., a GPS satellite, cellular tower or basestation, or WiFi access point) at a defined or identifiable location. Insome instances, location engine 838 can process signals from multiplesources and can estimate a location of user device 110 using atriangulation technique. In some instances, location engine 838 canprocess a single signal and estimate its location as being the same as alocation of a source of the signal.

User device 110 can include a flash 842 and flash controller 846. Flash842 can include a light source, such as (for example), an LED,electronic flash or high-speed flash. Flash controller 846 can beconfigured to control when flash 842 emits light. In some instances, thedetermination includes identifying an ambient light level (e.g., viadata received from light sensor 836) and determining that flash 842 isto emit light in response to a picture- or movie-initiating input whenthe light level is below a defined threshold (e.g., when a setting is inan auto-flash mode). In some additional or alternative instances, thedetermination includes determining that flash 846 is, or is not, to emitlight in accordance with a flash on/off setting. When it is determinedthat flash 846 is to emit light, flash controller 846 can be configuredto control a timing of the light so as to coincide, for example, with atime (or right before) at which a picture or video is taken.

User device 110 can also include an LED 840 and LED controller 844. LEDcontroller 844 can be configured to control when LED 840 emits light.The light emission may be indicative of an event, such as whether amessage has been received, a request has been processed, an initialaccess time has passed, etc.

Flash controller 846 can control whether flash 846 emits light viacontrolling a circuit so as to complete a circuit between a power sourceand flash 846 when flash 842 is to emit light. In some instances, flashcontroller 846 is wired to a shutter mechanism so as to synchronizelight emission and collection of image or video data.

User device 110 can be configured to transmit and/or receive signalsfrom other devices or systems (e.g., over one or more networks, such asnetwork(s) 170). These signals can include wireless signals, andaccordingly user device 110 can include one or more wireless modules 850configured to appropriately facilitate transmission or receipt ofwireless signals of a particular type. Wireless modules 850 can includea Wi-Fi module 852, Bluetooth module 854, near-field communication (NFC)module 856 and/or cellular module 856. Each module can, for example,generate a signal (e.g., which may include transforming a signalgenerated by another component of user device 110 to conform to aparticular protocol and/or to process a signal (e.g., which may includetransforming a signal received from another device to conform with aprotocol used by another component of user device 110).

Wi-Fi module 854 can be configured to generate and/or process radiosignals with a frequency between 2.4 gigahertz and 5 gigahertz. Wi-Fimodule 854 can include a wireless network interface card that includescircuitry to facilitate communicating using a particular standard (e.g.,physical and/or link layer standard).

Bluetooth module 854 can be configured to generate and/or process radiosignals with a frequency between 2.4 gigahertz and 2.485 gigahertz. Insome instances, bluetooth module 854 can be configured to generateand/or process Bluetooth low-energy (BLE or BTLE) signals with afrequency between 2.4 gigahertz and 2.485 gigahertz.

NFC module 856 can be configured to generate and/or process radiosignals with a frequency of 13.56 megahertz. NFC module 856 can includean inductor and/or can interact with one or more loop antenna.

Cellular module 858 can be configured to generate and/or processcellular signals at ultra-high frequencies (e.g., between 698 and 2690megahertz). For example, cellular module 858 can be configured togenerate uplink signals and/or to process received downlink signals.

The signals generated by wireless modules 850 can be transmitted to oneor more other devices (or broadcast) by one or more antennas 859. Thesignals processed by wireless modules 850 can include those received byone or more antennas 859. One or more antennas 859 can include, forexample, a monopole antenna, helical antenna, intenna, Planar Inverted-FAntenna (PIFA), modified PIFA, and/or one or more loop antennae.

User device 110 can include various input and output components. Anoutput component can be configured to present output. For example, aspeaker 862 can be configured to present an audio output by convertingan electrical signal into an audio signal. An audio engine 864 caneffect particular audio characteristics, such as a volume,event-to-audio-signal mapping and/or whether an audio signal is to beavoided due to a silencing mode (e.g., a vibrate or do-not-disturb modeset at the device).

Further, a display 866 can be configured to present a visual output byconverting an electrical signal into a light signal. Display 866 mayinclude multiple pixels, each of which may be individually controllable,such that an intensity and/or color of each pixel can be independentlycontrolled. Display 866 can include, for example, an LED- or LCD-baseddisplay.

A graphics engine 868 can determine a mapping of electronic image datato pixel variables on a screen of user device 110. It can further adjustlighting, texture and color characteristics in accordance with, forexample, user settings.

In some instances, display 866 is a touchscreen display (e.g., aresistive or capacitive touchscreen) and is thus both an input and anoutput component. A screen controller 870 can be configured to detectwhether, where and/or how (e.g., a force of) a user touched display 866.The determination may be made based on an analysis of capacitive orresistive data.

An input component can be configured to receive input from a user thatcan be translated into data. For example, as illustrated in FIG. 8, userdevice 110 can include a microphone 872 that can capture audio data andtransform the audio signals into electrical signals. An audio capturemodule 874 can determine, for example, when an audio signal is to becollected and/or any filter, equalization, noise gate, compressionand/or clipper that is to be applied to the signal.

User device 110 can further include one or more cameras 876, 880, eachof which can be configured to capture visual data (e.g., at a given timeor across an extended time period) and convert the visual data intoelectrical data (e.g., electronic image or video data). In someinstances, user device 110 includes multiple cameras, at least two ofwhich are directed in different and/or substantially oppositedirections. For example, user device 110 can include a rear-facingcamera 876 and a front-facing camera 880.

A camera capture module 878 can control, for example, when a visualstimulus is to be collected (e.g., by controlling a shutter), a durationfor which a visual stimulus is to be collected (e.g., a time that ashutter is to remain open for a picture taking, which may depend on asetting or ambient light levels; and/or a time that a shutter is toremain open for a video taking, which may depend on inputs), a zoom, afocus setting, and so on. When user device 110 includes multiplecameras, camera capture module 878 may further determine which camera(s)is to collect image data (e.g., based on a setting).

FIG. 9 illustrates sample components of an embodiment of site system180, including connections to NAS 750 and access management system 185.Embodiments of site controller 712 use network manager 920 to connectvia access points 720 (using e.g., WiFi 952, Bluetooth 953, NFC 956,Ethernet 958, and/or other network connections) to other networkcomponents, such as site network 716 and mobile devices 724. In someembodiments, site system 280 uses site controller 712 to control aspectsof a spatial region associated with a resource. An access right grantsaccess to the spatial region during a defined time period. A broadvariety of features can be controlled by different embodiments,including: permanent lights (e.g., with lighting controller 922), lights(e.g., with presentment controller 924), display screens (e.g., withstage display(s) controller 912), permanent display screens (e.g., withpermanent display(s) controller 914), and the sound system (e.g., withthe sound system controller 916).

A more detailed view of NAS 750 is shown, including NAS controller 930coupled to user video storage 932, captured video storage 934,preference storage 936, and 3D model 938. Captured video storage 934 canreceive, store and provide user videos received from mobile devices 724.In some embodiments, site controller 712 triggers the automatic captureof images, audio and video from mobile devices 724, such triggeringbeing synchronized to activities in an event. Images captured by thisand similar embodiments can be stored on both the capturing mobiledevice 724 and user video storage 932. In an embodiment, site controller712 can coordinate the transfer of information from mobile devices toNAS 750 (e.g., captured media) with activities taking place during theevent.

When interacting with mobile devices 724, some embodiments of sitecontroller 712 can provide end user interfaces 926 to enable differenttypes of interaction. For example, as a part of engagement activities,site controller may offer quizzes and other content to the devices.Additionally, with respect to location determinations discussed herein,site controller can supplement determined estimates with voluntarilyprovided information using end user interfaces 926, stored in a storagethat is not shown.

In some embodiments, to guide the performance of different activities,site controller 712 and/or other components may use executable code 938tangibly stored in code storage 939. In some embodiments, siteinformation storage 937 can provide information about the site, e.g., 3Dmodels of site features and structure.

Referring next to FIG. 10A, an example of a communication exchange 1000a involving primary load management system 1014 and each of a pluralityof secondary load management systems 1016 a, 1016 b is shown. In someinstances, secondary load management system 1016 a is managed by anentity different than an entity that manages secondary load managementsystem 1016 b. Primary load management system 1014 may include and/orshare properties with a primary assignment management system 214. Eachof one or both of secondary load management system 1016 a and 1016 b mayinclude or correspond to a secondary assignment system 216.Communications shown in FIG. 10A may be transmitted over one or morenetworks, such as network 270, the Internet and/or a short-rangenetwork.

In one instance, one of secondary load management system 1016 a or 1016b is managed by a same entity as manages primary load management system1014. In one instance, each of secondary load management system 1016 and1016 b is managed by an entity different than an entity managing primaryload management system 1014. Primary load management system 1014 caninclude a system that, for example, manages a master access-rightassignment data store, distributes access codes, performs verificationdata for access attempts, and so on. Secondary load management systems1016 a, 1016 b can include systems that, for example, facilitateassignment of access codes to users. For example, secondary loadmanagement systems 1016 a, 1016 b can be configured to requestallocation of access-right slots, which may result in a temporary orfinal allocation or assignment to the system, a hold on the access-rightslots, and/or a distribution of data pertaining to the slot(s).Secondary load management systems 1016 a, 1016 b may then facilitatetransmission of the access-right slots to one or more users and identifya user that has requested one or more particular access-right slots. Thesecondary load management system can then facilitate an assignment ofthe access-right slots by (for example) transmitting one or more accesscodes to the user device, identifying the user to primary loadmanagement system 1014 or updating assignment data.

Communication exchange 1000 a begins with transmission of one or morerule specifications from each secondary load management system 1016 a,1016 b to primary load management system 1014. The rule specificationcan include one or more request parameters identify parameters of a loadrequested for allocation. For example, a rule specification can includea specification pertaining to a size of a target load (e.g.,corresponding to a number of access-right slots). The specification mayinclude a particular number or a threshold. A rule specification caninclude a specification of a type of at least part of the load, such asone that identifies a resource or type of resource and/or one thatidentifies a characteristic of one or more access-right slots (e.g., alocation). The specification may include a first allocation parameterthat may identify a value for which access-right slots are beingrequested.

In some instances, a rule and/or request corresponds to a singleresource, while in others, the rule and/or request corresponds tomultiple resources. For example, a request may be for access-rightresults pertaining to each of three resources or to each resourceavailable at a location in a season. Thus, in some instances, a rulespecification identifies or is indicative of a number of resources.Resources may, but need not, be specifically identified in a rulespecification, rule and/or request. For example, a rule specificationmay indicate that a defined number or range (e.g., 100-200) ofaccess-right slots is requested for any given resource within a definedtime period (e.g., year).

A rule specification can include an allocation parameter that identifiesa parameter for allocating a load should it be allocated to thesecondary load management system. To illustrate, secondary loadmanagement system 1016 a, 1016 b may be configured to receiveallocations of access-right slots but to attempt to facilitateassignment of the access-right slots to users. Communication exchange1000 a can be configured so as to promote facilitated distribution tousers upon allocation of access-right slots to a secondary loadmanagement system. Early provision of allocation parameters by asecondary load management system can promote such quick facilitateddistribution.

For example, an allocation parameter can identify one or morecommunication channels (e.g., webpages, portals,information-distribution protocols, email addresses, etc.) fortransmitting information pertaining to at least part of the load to eachof one or more devices and/or an a second allocation parameter. Thisinformation may enable primary load management system 1014 to (forexample) automatically provide information pertaining to allocatedaccess-right slots via the communication channel(s) and/or to verifythat allocation parameters comply with one or more primary-system rules(e.g., that may include an upper and/or lower threshold for anallocation parameter and/or limits on which communication channels maybe used).

Primary load management system 1014 can define a rule for each secondaryload management system 1016 a, 1016 b based on the rule specifications.The rules can be stored in a secondary system rules data store 1018.

Primary load management system 1014 can further include a load datastore 1020. Load data store 1020 can include, for example, informationpertaining to which access-right slots for a given resource areavailable and information pertaining to each of those slots. Load datastore 1020 can further identify information pertaining to one or moredefined loads, such as which access-right slots are corresponding to theload, to which secondary load management system a load has beenallocated, whether an allocation includes any restrictions (e.g., timelimits).

Primary load management system 1014 can assess whether a set ofavailable access-right slots corresponds to request parametersidentified in any secondary-system rules. For example, it can bedetermined whether a resource type corresponds to that specified in arequest parameter, whether a quantity (and/or contiguous quantity)corresponds to that specified in a request parameter, whether a type ofthe access-right slots corresponds to that specified in a requestparameter, and/or whether the quantity of access-right slots can beallocated for a value that corresponds to a first allocation parameterspecified in a request parameter (e.g., the determination being based ondefined values or thresholds associated with the access-right slotsand/or a primary-system rule).

In some instances, it may be determined that request parametersidentified in rules for multiple secondary load management systemcorrespond to a same load or to a same at least part of a load. Primaryload management system 1014 may include a switch, such as a contentswitch, that may evaluate a load, rules and/or systems to determine towhich secondary load management system 1016 a load is to be allocated oridentified. In these instances, the rules and/or systems may beprioritized to determine to which entity the load is to be allocated.The prioritization may depend on, for example, defined prioritizationsof the systems, a time at which rule specifications were submitted(e.g., prioritizing early submission), a size parameter (e.g.,prioritizing either lower or larger size requests), and/or firstallocation parameters (e.g., prioritizing larger first allocationparameters).

It will be appreciated that, in various instances, a load may begenerated in response to evaluation of a load (e.g., in an attempt todefine a load that accords with request parameters), or a load may befirst defined (e.g., based on which access-right slots remain availableand/or distribution priorities of the primary load management system)and it is then determined which rule to which the load corresponds. Insome instances, a primary-system rule as to which access-right slots areto be included in a load and/or a secondary-system rule as to whichaccess-right slots are requested may depend on information, such as anenvironmental characterization corresponding to a resource, a throughputmonitor and/or a discrepancy associated with a resource (e.g., a spreador line associated with a resource). In some instances, a primary-systemrule and/or secondary-system rule may include a function that relates anenvironmental characteristic, throughput characteristic and/ordiscrepancy with an allocation parameter (e.g., such that largerdiscrepancies, poorer environmental characteristics and/or lowerthroughput prospects result in lower allocation parameters).

When it is determined that a load corresponds to a secondary-system rule(and/or any prioritization is performed), primary load management systemcan transmit a trigger indication to the associated secondary loadmanagement system 1016 a. The trigger indication may identifycharacteristics of the load (e.g., a size, type of one or moreaccess-right slots, resource, and/or allocation value). In someinstances, the trigger indication may identify a rule and/or whatspecifications were defined in the triggered rule.

In some instances, communication exchange 1000 a is configured so as toprovide a secondary load management system 1016 a a defined time periodfor transmitting a request responsive to a trigger indication.Access-right slots may, but need not, be placed on hold for the timeperiod. Should a request not be received within the time period, primaryload management system 1014 may transmit a same or different triggerindication to another secondary load management system with a rulecorresponding to the load or may redefine a load so as to correspondwith a rule of another secondary load management system and transmit atrigger indication accordingly. In some instances, a trigger indicationis simultaneously transmitted to multiple secondary load managementsystems 1016, and a load may be allocated to a system that thereafterrequests the load (e.g., in accordance with a first-responder or othersecondary-system selection technique).

Secondary load management system 1016 a can then transmit a requestcommunication back to primary load management system that requests theload. Primary load management system 1014 can then transmit a responsecommunication that confirms that the load is being allocated. In someinstances, the response communication is transmitted subsequent to or intemporal proximity of a time at which a charge is issued or collectedfor the load. In some instances, then response communication includesfurther information about the load. For example, location ofaccess-right slots in the load may be more precisely identified.

Secondary load management system 1016 a can store data pertaining to theload in a load data store 1022. Load data store 1022 may further trackstatuses of access-right slots so as to be able to identify whichaccess-right slots have been assigned to users. Secondary loadmanagement system 1016 a can further manage and/or have access to aresource specification data store 1024 that can associate identifiers ofvarious resources with corresponding information. The resourcespecifications may be, for example, included in a trigger-information orresponse communication from primary load management system 1014;identified via an external search (e.g., web crawl), and so on. Resourcespecifications may include, for example, a location and/or a date andtime.

A user device 1026 can also transmit rule specifications to one or moreof primary load management system 1014 and 1016 a. The rulespecifications may include request parameters, such as a sizespecification, type specification and/or assignment value (e.g., thatmay be precisely identified or a threshold). When rule specificationsare transmitted and/or availed to secondary load management system 1016a, a corresponding user rule can be defined for the user device and/oruser.

Secondary load management system 1016 a can distribute data of aresource (or multiple resources) corresponding to the load allocated tothe system. The resource data can include one or more resourcespecifications stored at resource specification data store 1024. Theresource data may further include data associated with one or moreaccess-right slots included in the load. For example, the resource datamay identify a time and location of a resource and a location of each ofone or more access-right slots. In some instances, the resource datafurther includes an allocation parameter, such as the second allocationparameter and/or one defined based thereupon included in asecondary-system rule specification or included in a rule associatedwith secondary load management system 1016 a.

In some instances, secondary load management system 1016 a controls thetransmission of the resource data to one or more user devices 1026. Insome instances, primary load management system 1014 facilitates thetransmission. For example, the data may be identified in an interfaceprovided, controlled and/or managed by secondary load management system1016 a, but primary load management system 1014 may have authorizationto update the webpage, and thus primary load management system canupdate the secondary-system to include the resource data.

In some instances, resource data is selectively transmitted to userdevices. For example, resource data may be transmitted only to the userdevices associated with user rules corresponding with at least part ofthe load.

User device 1026 can request assignment of at least part of the load.The user request can identify, for example, one or more access-rightslots (e.g., and/or one or more resources). Secondary load managementsystem 1016 a can evaluate the request and respond with load responsedata. Such a response may be conditioned (for example) on confirmingcompletion of the assignment process. The load response data may (forexample) indicate that the assignment has been accepted and/or includeconfirmation data. Upon such acceptance, secondary load managementsystem 1016 a can also transmit assignment data to primary loadmanagement system. The load data can include an identification of theuser device (or corresponding information, such as a name, email,profile, device identifier or phone number of a corresponding user)and/or one or more access-right slots being assigned. Primary assignmentmanagement system can update an assignment data store and/or load datastore 1020 to reflect the assignment.

Primary load management system 1014 can then retrieve access code datafrom an access code data store 1030 and transmit the access code data touser device 1026. The access code data can correspond to the one or moreaccess rights being assigned to the user. The access code data can betransmitted (for example) immediately, at a defined time (e.g., relativeto a time of a resource), or upon receiving a request (e.g., triggeredby a user input or detecting that a user device has crossed a geofencecorresponding to a resource).

User device 1026 can store the access code(s) in an access-code datastore 1030 b. Subsequently, user device 1026 can retrieve theaccess-code data and transmitting it to a site controller 712 (e.g.,upon detecting the site controller, upon receiving a request from thesite controller or in response to detecting a corresponding user input).Site controller 712 can include one located at a resource location. Sitecontroller 712 can transmit the access-code data to primary loadmanagement system 1014, which can then determine whether the code is avalid code, has not been previously redeemed and/or corresponds to oneor more characteristics (e.g., a resource associated with or identifiedby the site controller, a time, a device characteristic, etc.). A resultof such determination(s) can be transmitted back to site controller 712such that a user can then be granted or denied requested access to aresource.

It will be appreciated that one, more or all communications representedin communication exchange 1000 a can be transmitted via (for example) aweb site, a web portal, another portal, an email exchange, a message(e.g., SMS message) exchange, and/or an API.

It will be appreciated that part or all of a communication exchange canbe performed in an automated or semi-automated manner. For example, oneor more rules (e.g., secondary-system rules or user rules) can bedefined so as to trigger automatic allocation or assignment upondetecting data that corresponds to request parameters in the rules. Asanother example, the one or more rules can be defined so as to trigger anotification communication to the user device or secondary loadmanagement system that includes an alert that the request parameters aresatisfied and enable to user device or secondary load management systemto transmit a request for allocation or assignment.

It will also be appreciated that various modifications to communicationexchange 1000 a are contemplated. For example, in one instance,secondary load management system 1016 a may at least partly manageaccess codes. For example, one or more access codes corresponding to aload may be transmitted from primary load management system 1014 tosecondary load management system 1016 a as part of a response. Secondaryload management system 1016 a may then transmit select access codes to auser device 1026, and (in various instances) either primary loadmanagement system 1014 or secondary load management system 1016 a mayprovide verification of the code to site controller 712.

Referring next to FIG. 10B, another example of a communication exchange1000 b involving primary load management system 1014 and each of aplurality of secondary load management systems 1016 a, 1016 b is shown.In this instance, two different types of access code data are associatedwith an assignment.

As shown, in response to an initial assignment of an access-right slot,primary load management system 1014 transmits first access code data touser device 1026. The first access code data may include datarepresenting that access to a resource has been authorized. However, inthis instance, the first access code data may lack a precision ofassociation that would associate the first access code data with one ormore particular access characteristics. For example, the data may lackinformation that would identify a particular location within a resourcearea for which access is to be granted.

Subsequently (e.g., after a predefined time period, such as within adefined period from a resource time; and/or when a user device 1026crosses a geofence corresponding to a resource, and/or when a userdevice 1026 receives input or a site-controller request indicating thataccess data is to be transmitted to a nearby site controller), userdevice 1026 may retrieve the first access code data and transmit it(e.g., via a short-range communication) to a first site controller 712a.

First site controller 712 a may communicate with primary load managementsystem 1014 to verify the data, in a manner similar to that describedherein. Upon detecting that the first access code data has beenverified, first site controller 712 a can transmit second access codedata to user device 1026. The second access code data have a precisionof association that associates the data with one or more particularaccess characteristics. The second access code data may be, for example,generated at first site controller 712 a or received from primary loadmanagement system (e.g., as part of the verification communication or aspart of another communication). The particular access characteristicsmay be identified based on, for example, a technique described in U.S.application Ser. No. 14/063,929, filed on Oct. 25, 2013, which is herebyincorporated by reference in its entirety for all purposes. Theparticular access characteristics may be identified based on, forexample, for which and/or how many access-right results first accesscode data had been previously verified and/or which and/or how manysecond access codes had been generated and/or transmitted.

The second access code data may indicate where access to a resource isauthorized, and user device 1026 may thus move to a correspondinglocation. In some instance, a second site controller 712 b is associatedwith the corresponding location. User device 1026 may then transmit thesecond access code data (e.g., when user device 1026 detects that it hascrossed a geofence corresponding to the location and/or when user device1026 receives input or a site-controller request indicating that accessdata is to be transmitted to a nearby site controller) to second sitecontroller 712 b. Second site controller 712 b can determine whether thecode is verified (e.g., valid, has not been previously used, and/orcorresponds to the user device 1026 and/or location). The determinationcan include (for example) transmitting the second access code data toanother device (e.g., primary load management system 1014, a localserver, or another site controller, such as first site controller 712 a)and receiving second verification data that indicates whether the secondaccess code data is verified. The determination can, alternatively oradditionally, include a local determination, which may be based (forexample) on comparing the second access code data to data in a localaccess-code data store to determine whether there is a match and/orwhether the second access code data (or corresponding access code datathat is associated with same one or more particular characteristics) hasbeen previously verified. The local access-code data store may bepopulated by second site controller 712 b, for example, in response tocommunications from one or more other site controllers and/or primaryload management system 1014 that identify second access code data thathave been issued.

Referring to FIGS. 11-14, user devices accessing the primary loadmanagement system to request assignment of access rights to a resourcemay be initially assigned a queue position in a digital queue beforebeing enabled to access an interface for creating and transmitting therequests for access rights. Certain aspects and features of the presentdisclosure relate to automatically determining an ordering of users byassigning the users to queue positions of a digital queue based onclient-defined protocols. The client-defined protocols are differentacross resources, and thus, the ordering of users for a given request isdifficult to predict. Further, the client-defined protocols areconfigured to modify user parameters associated with the users to biastowards users associated with a client-identified data source or aclient-defined objective. Thus, automated scripts configured to mimichuman users may be prevented from being positioned in favorablepositions of digital queues. Biasing towards users targeted by theclient may include, for each user device included in the queue and inthe group of user devices targeted by the client, the corresponding userparameter of each of those user devices may be modified so as to changea queue position associated with the user device. The user deviceincluded in the group targeted by the client (e.g., members of a fanclub) may be selected to access the interface before a user device thatis not included in the targeted group.

The users who accessed the online platform may be assigned queuepositions in the digital queue, according to certain implementationsdescribed herein. At a regular or irregular time interval, a group ofqueue positions in the digital queue may be automatically processed.Processing a queue position in the digital queue includes enabling theuser device associated with the queue position to access an interfacethat allows users to create and transmit requests for access rights to aparticular resource (e.g., an event data page that enables users torequest event tickets). For example, when the queue position associatedwith a user is selected, the user device operated by the user may begranted access to the interface. Non-limiting examples of providingaccess to the interface may include transmitting a communication to theuser device indicating that the user is enabled to access the interfaceand providing a link to the interface; a browser operating on the userdevice being automatically navigated to the interface; and a selectableelement (e.g., a selectable button or hyperlink) that is unselectedprior to the user's queue position being selected and is selectable whenthe user's queue position is selected for accessing the interface (e.g.,and once the selectable element is selected, navigating the user to theinterface).

In some implementations, the queue position of a user may be determinedusing a user parameter. A user parameter may be generated by the primaryload management system to represent a likelihood that a specific usersatisfies a target objective. Examples of target objective may includebeing a human user, being a human user who is a fan of a performer orteam, not being an automated script, requesting access rights to aparticular resource, and other suitable target objectives, which may beuser defined. For example, U.S. Ser. No. 15/983,475, filed on May 18,2018, the disclosure of which is incorporated herein by reference in itsentirety for all purposes, describes a technique for generating a userparameter. It will be appreciated that any technique for generating auser parameter may be used, and thus, the present disclosure is notlimited to any particular technique for generating a user parameter.

Certain aspects and features of the present disclosure include modifyingthe user parameters of some or all user requests stored in the digitalqueue based on one or more data sources determined or identified by aclient associated with the digital queue. A normalization systemprovided by the primary load management system may receive or access theuser parameters associated with the users in the digital queue. Forexample, a user parameter may be a score or value representing alikelihood that a particular user is a human user. Each queue positionin the queue may store metadata identifying a user, such as a useridentifier, a unique token value, and resource identifier, and so on.Further, the dynamic, protocol-based scoring of users provides a botmitigation technique that identifies human users over automated scripts(e.g., bots) in a targeted and client-specific manner. For instance,because a user is ordered in a queue based on his or her client- orevent-specific user parameter before being provided access to theinterface, human users are provided with access to the interface earlierthan detected bot users, thereby inhibiting bot traffic.

Certain embodiments of the present disclosure relate to a scoringnormalization and priority service (e.g., referred to herein as anormalization system) that is configured to normalize user parameters(e.g., scores or values) from various internal or external systems. Thenormalization of user scores may be performed in light of a client orresource specific protocol. In some implementations, a user parametermay be modified according to the client or resource specific protocol.

To illustrate and only as a non-limiting example, a client may behosting or otherwise associated with a specific resource. The client maydefine a protocol configured to prioritize users who are members of aclient-associated group (e.g., a fan club of a performer). Executing theprotocol may influence network traffic to the interface that enablesusers to request access rights to a resource associated with the client.The protocol may be defined with the objective of assigning accessrights to human users over bot users (e.g., mimicking human users byexecuting automated scripts). The protocol may include executable codethat, when executed, determines whether or not the user requesting anaccess right to the resource is a member of a predetermined group (e.g.,a group preferred by or targeted by the client); determining whether ornot the user is a human user based on an internal bot detectionmechanisms (e.g., generating user parameters that are predictive ofusers being bots); and determining the age of the user account. Thedefined protocol may prioritize human users, for example, by adding anincremental value (e.g., 0.3 added) to the user parameter of a user ineach of the following instances: (1) if that user is a member of thepredetermined group, (2) if the user is predicted to be a human userbased on the user parameter (e.g., the user parameter is above a certainthreshold value corresponding to human users), or (3) if the user hashad his or her user account for over five years. As another example, thenormalization system may determine a normalization value to add to theuser parameter corresponding to a user. The normalization value may bean incremental value that is determined based on the user's ordering inanother data source. For instance, the protocol may include a preferencefor users who are ordered in a data source according to age of a useraccount. The incremental value that is added to the user parameter of auser may be determined based on the ordering of the user account age. Inthis example, the incremental value for the user with the oldest useraccount may be “1,” whereas, the incremental value for the user with thenewest user account may be “0.1.” The incremental value may be added tothe existing user parameter associated with the user, and the entire setof users may be reordered in the digital queue. In this case, theprotocol may cause users with older user accounts to be prioritized inthe digital queue. It will be appreciated that the present disclosure isnot limited to adding or subtracting the incremental value from anexisting user parameter. Instead, any technique for combining two ormore values may be used with the implementations described herein.

Conversely, the normalization system can subtract a defined value (e.g.,0.3) from the user parameter of a user in each of the followinginstances: (1) if the user is not a member of the predetermined group,(2) if the user is not a human user based on the user parameter (e.g.,the user parameter is below a threshold value corresponding to potentialbot users), and (3) if the user has had his or her user account for lessthan a year. Alternatively, the objective of the protocol may be toassign access rights, regardless of whether of the access rights areassigned to human users or automated script users. In this case, theprotocol may be different from the above protocol. For example, theprotocol may include simply adding a predetermined value (e.g., 0.5) touser parameters of users who have logged in to the online platformoperated by the primary load management system. The normalized userparameters (e.g., the predetermined value or the incremental value addedto or subtracted from the user parameter) may be outputted by thenormalization system for each user to a queuing system to place thecorresponding user at a queue position of the digital queue in an ordercorresponding to the normalized user parameters. Advantageously, thenormalized user parameter may represent a real-time assessment ofwhether the user satisfies an objective determined by the client (asdefined by the protocol).

In some implementations, the user is scored using the normalizationsystem without experiencing any front-end interface changes. Thenormalization performed by the normalization system may occur withoutthe user recognizing that the normalization of user parameters isoccurring. From the user's perspective, if the user logs in, the userwaits until a selectable link or button is displayed on the webpagebecomes selectable. For example, the selectable link or button mayinitially be unselectable while the user is placed in the digital queue.However, in some implementations, when the queue position of the user isready to be processed, the user will automatically be provided withaccess to the interface for requesting access rights (e.g., the link orbutton may become selectable, and upon selection, the user deviceoperated by the user may be navigated to the interface). In someimplementations, the formerly unselectable link or button willautomatically become selectable when the queue position of the user isready to be processed. When the user selects the now selectable link orbutton, the user may be directed to the interface. The interface may beconfigured to enable the user to submit queries for available accessrights to a given resource, for example, access rights that satisfycertain criteria, such as date or location. However, while the user islogged into his or her account of the online platform (which may or maynot be required), the user may not be presented with any indication ofthe normalization system normalizing user parameters for that user fromvarious data sources and of being placed in a digital queue based onthat normalized user parameter.

Non-limiting examples of the signals received and processed by thenormalization system to generate a normalized client- orresource-specific user parameter may include whether or not the fan haslogged in to the online platform; the existing user parameter associatedwith the user (e.g., determined by techniques described in U.S. Ser. No.15/983,475, filed on May 18, 2018, the disclosure of which isincorporated by reference herein in its entirety for all purposes);whether or not the user has accessed a gateway page before or after theaccess rights of a resource become available for assignment to users;whether or not the user is a member of a predetermined group; and anyother suitable data signals or data sources.

In some implementations, the normalization system can normalize userparameters in real-time while the user is interacting with the onlineplatform. For example, the user may access the webpage representing theonline platform (which does not enable any creating or transmitting ofrequests for access rights). The webpage representing the onlineplatform may provide users with an opportunity to log into the onlineplatform or whichever system is associated with the resource. If theuser does not log in, that user is still automatically scored using thenormalization system (e.g., potentially after selecting a displayed linkor button that triggers the normalization process in the back-endservers). In situations where the user does not log in, the primary loadmanagement system may access third-party data sources to identify theuser or at least gain additional data representing the user. Forexample, the user's email address, IP address, location, or any otherdetectable information can be sent to a third-party data source to querywhether the third-party data source has any additional information thatcorresponds to or matches the detected information. According to certainembodiments, the normalization system may reduce the user parameter orthe combination of user parameters retrieved from various data sources.The user parameter reduction may be performed because the user has notlogged in. Further, the user may be placed in a digital queue (withoutthe interface visually indicating that the user is in a queue) based onthe normalized user parameter outputted by the normalization system.However, if the user then chooses to log in, then the user's normalizeduser parameter may be updated, and thus, as a result, the user may beautomatically repositioned in the digital queue (without the interfacevisually indicating that the fan is being repositioned in the digitalqueue).

In some implementations, the normalized user parameter generated by thenormalization system may be encoded into a token using one or morehashing techniques. The token corresponding to the user can then betransmitted to the queuing system. For example, the queueing system canthen evaluate the token to identify a user identifier representing theuser and the normalized user parameter generated by the normalizationsystem. Once these two items of data are extracted or decoded from thetoken (e.g., the user identifier and the corresponding normalized userparameter), the queueing system can then assign a queue position of adigital queue to the user's request for access rights. The queueingsystem can process the queue positions in any manner, including but notlimited to in sequential order from highest normalized user parameter tolower normalized user parameter, in random order, in batches of anynumber (e.g., 100 queue positions corresponding to the next highestnormalized user parameters are automatically provided access to theinterface every five minutes or the number of queue positions that keepsa constant number of users accessing the interface).

In some implementations, when a user device accesses a gateway page ofthe online platform of the primary load management system, a uniquetoken can be created automatically (e.g., in response to the userselecting a button displayed on the gateway page). Upon detecting thatthe button is selected, at the back-end, the normalization system canreceive the user's user parameter from a database included in theprimary load management system, and generate a normalized user parameterby executing the one or more protocols that correspond to the specificresource requested. The normalized user parameter can then be encodedinto a token using one or more hashing techniques. The token can then besent to the queueing system for ordering amongst the other normalizeduser parameters of other users and placement at a queue position in adigital queue according to the determined ordering. All the while, theuser is not notified of the value of the normalized user parameter orthe position of the queue placement, but rather is simply routed to alanding website that does not provide access to the interface until theuser's queue position is selected and processed (e.g., is next in linein the digital queue). Advantageously, the creation of the tokenprovides proof that the user has been assigned to a queue positionbefore being granted access to the interface that enables the user torequest access rights to resources. Hackers, for example, may attempt toaccess the interface by bypassing the digital queue. As a technicalpoint of novelty or practical application, the hacker would not begranted access to the interface because the hacker does not have acorresponding token (which may have only been generated if the hackerhad been assigned to a queue position of the digital queue).

In some implementations, the protocol defined by the client or definedfor the specific resource may require additional information. Forexample, the client may provide a list of user features of users to thenormalization system. The normalization system can perform networktraffic modeling (originating from desktop browsers, mobile webbrowsers, or mobile native applications) based on the provided list ofuser features. The users on that list may be prioritized by thenormalization system, which may increase user parameter values only forusers who are included on the list provided by the client. For all otherusers, the normalization service may normalize user parameters byreducing the user parameter by a predetermined value. In someimplementations, the normalization system can generate a single valuebased on the multiple input signals received, such as from internal orexternal user scoring systems or third-party data sources. Upongenerating a single user parameter based on the received inputs, thenormalization system can create a token or unique code that encodes thenormalized user parameter and certain information about the user, suchas user identifier. Advantageously, the creation of the token or uniquecode obfuscates the user's identity, and thus, the normalization servicecan normalize user parameters of users securely. Depending on theembodiment, the queuing system may or may not be a system internal tothe normalization system itself.

It will be appreciated that the normalization of user parametersperformed by the normalization system determines the order in which userdevices are granted access to the interface. The interface enables userdevices to create and transmit requests for assignment of access rightsto a particular resource. Thus, the normalization system can cause theuser devices that are granted access to the interface to be controlledto some extent. Without exercising control of the network traffic at theinterface, the interface may fail to successfully facilitate theassignment of access rights to users. Accordingly, the control of whichusers are granted access to the interface and the order in which theusers are granted access to the interface has a practical application inblocking bots from accessing servers, thereby managing network loads.Thus, certain implementations described herein improve the technology ofmanaging network or Internet traffic load experienced at the interfaceby controlling access to the interface in a client-specific andautomatic manner.

Advantageously, there is variability of the normalization of userparameters on a resource-by-resource basis. That is, the protocols thatare executed to normalize the user parameters of users requesting accessrights to one resource may be different from the protocols that areexecuted to normalize user parameters of users requesting access rightsto another resource. Automated scripts cannot use the same techniques tobypass bot mitigation processes because the protocol changes perresource (e.g., per event) or per client (e.g., per venue manager orperformer). Further, the normalization of user parameters is performedin real-time and without the user's knowledge, and thus, bots may nothave sufficient notice to adapt to the different protocols for differentresources. It will be appreciated that the protocol being different on aresource-by-resource or client-by-client basis may include differentdata sources. For example, for a first resource, the normalizationsystem may prioritize users with user records included in data sources Aand B, whereas, for a second resource, the normalization system mayprioritize users with user records included in data sources C, F, and G.

It will be appreciated that the normalization system may combine anynumber of user parameters received from various data sources. Forexample, if the normalization system receives a first user parametercharacterizing a user from a first data source and a second userparameter characterizing that user from a second data source, thenormalization system can combine the first and second user parametersinto a single normalized user parameter. Non-limiting examples ofcombining multiple user parameters together into a single normalizeduser parameter may include summing the user parameters and computing anaverage, generating a weighted combination of the multiple userparameters (where the weight may be defined by a protocol), anyscore-blending technique defined by the client, or any other suitablecombination techniques.

In some implementations, the queueing system can perform continuousordering when one or more queue positions are processed and new queuepositions are added to the queue (based on new user requests fromadditional users). In some implementations, continuous ordering mayinclude prioritizing the users with the highest normalized userparameters to the front of the digital queue at all times.

It will be appreciated that the methods and various embodimentsdescribed above can be implemented in conjunction with any of themethods or implementations described below.

FIG. 11 is a block diagram illustrating a network environment forenabling queue positions to be assigned to users requesting accessrights to a resource, such that the queue position of a user is based onnormalized user parameters associated with that user. FIG. 11illustrates network environment 1100, which includes primary loadmanagement system 1014, web server 1110, messaging system 1115 (e.g., anSMS provider), and mobile device 1120. Primary load management system1014 may be configured to communicate with web server 1110 and messagingsystem 1115 through network 1105. Network 1105 may be any public and/orprivate network connected to the Internet.

Web server 1110 may include one or more servers configured to host oneor more webpages associated with the primary load management system1014. For example, web server 1110 may host a webpage that displays aninterface configured to enable users to create and transmit requests forassignment of access rights to a resource. The requests may betransmitted to the primary load management system, which may beconfigured to determine whether or not to assign the access right(s) tothe user. The determination of the assignment may be based on whether ornot the user has completed an assignment condition (e.g., purchased theticket). Web server 1110 may also facilitate the assignment process forrequesting assignment of one or more access rights that are publiclyavailable to be queried by user devices. Additionally, web server 1110may host a webpage that enables users to log in to the online platformthat is operated by the primary load management system 1014. Forexample, the webpage may be configured to receive login credentials fromusers to determine whether the users are authorized to access the onlineplatform.

Messaging system 1115 can include one or more servers that facilitatecommunications between primary load management system 1014 and mobiledevices. For example, messaging system 1115 can implement a messagingservice, such as SMS or push notifications, to communicate with mobiledevices (e.g., smartphones).

Mobile device 1120 can be any end user device that is configured to beoperated by a user. Examples of mobile device 1120 can includesmartphones, tablet devices, laptops, or any mobile computing device. Itwill be appreciated that non-portable devices may also be included innetwork environment 1100, and as such, while mobile device 1120 isportable, the present disclosure is not limited thereto. Mobile device1120 may be operated by a user. The user may operate mobile device 1120to access the one or more webpages hosted by web server 1110 in order toquery for and/or request assignment of access rights to a resource.

Queuing system 1125 may include one or more servers configured togenerate digital queues. Each digital queue may include a plurality ofqueue positions that arrange user identifiers, user requests, or tokenidentifiers. For example, a user may be represented by a useridentifier, a user request identifier, a session identifier, a tokenidentifier, or any other suitable unique identifier. Whicheveridentifier is used, the value of the identifier may be stored at a queueposition of a digital queue. For a given user identifier, the queueingsystem 1125 may evaluate the normalized user parameter and assign aqueue position to the corresponding user identifier based on thenormalized user parameter and the normalized user parameters of otherusers.

FIG. 12 is a swimlane diagram illustrating an example process flow 1200of the network environment of FIG. 11. Process flow 1200 can include oneor more communications between the primary load management system, thenormalization system, the queuing system, and the user device (forexample, mobile device 1120 as illustrated in FIG. 11). Process flow1200 begins at block 1205 where the primary load management systemgenerates unique access codes (representing unique access rights to aresource). At block 1210, the access rights that correspond to thegenerated access codes are published to the interface and queriablethough the interface. When the access rights are available or enabled tobe queried by user devices, they become searchable using the interface.Further, when the access rights are available or enabled to be queriedby user devices, the access rights are also available to be assigned touser devices requesting assignment of the access rights. For example, aparticular user device can query for access rights that satisfy acertain constraint (e.g., a location of the access right or resource)using the interface, and then the user device can transmit a requestthat the access right(s) that result from the query be assigned to theuser device. The user device may have to complete an assignment processto have the access right(s) assigned to the user device. However, whenaccess rights are accessible for querying, the databases that store theaccess rights often experience durations of high load around the timewhen the access rights are initially available to be queried. At block1215, a user device may access an online platform hosted by the primaryload management system. For example, the user device may log into theonline platform using login credentials.

At block 1220, the primary load management system may receive therequest from the user device to access the online platform. For example,the request to access the online platform hosted by the primary loadmanagement system may include login credentials to authenticate theuser. If the login credentials are valid, then process flow 1200proceeds to block 1225. If the login credentials are not valid, then theprocess flow 1200 ends.

At block 1225, the primary load management system can generate or accessa user parameter associated with the user or user device logged into theonline platform. The online platform may be a cloud-based applicationthat is accessible to end users and that is configured to enable usersto request the assignment of access rights to resources. The onlineplatform may generate or access a user parameter for each user that logsinto the online platform. The user parameters of users may be stored ina data store associated with the primary load management system. If theuser logging in is a new user (e.g., a user parameter has not previouslybeen generated for that user), then the primary load management systemmay generate a new user parameter for that user. Any technique may beused to generate a user parameter, which is a value that represents acharacteristic of a user, for example, U.S. Ser. No. 15/983,475, filedon May 18, 2018, the disclosure of which is incorporated herein byreference in its entirety for all purposes, describes a technique forgenerating a user parameter (also referred to as a resource-affinityparameter). Each user may be assigned to a queue position of a digitalqueue according to the user parameter associated with the user, suchthat the digital queue positions the users in an ordinal arrangement. Itwill be appreciated that any user scoring technique may be used with theimplementations described herein. That is, the protocol(s) defined by aclient may be executed to normalize user parameters, regardless of howthe user parameters are generated or computed.

At block 1230, the normalization system may receive the user parameterfor each user who logged into the online platform. The normalizationsystem may then identify a resource identifier associated with theuser's request to log into the online platform. For example, after theuser device accesses the primary load management system to log in to theonline platform, the user device may transmit to the primary loadmanagement system an indication of which resource the user device seeksto access. User input may be received at a webpage hosted by the primaryload management system. The user input may correspond to a selection oran identification of a resource. The primary load management system maythen identify a resource identifier that uniquely identifies theresource selected or identified by the user. As another example, theuser device may access a login page specifically associated with theresource. Upon logging in to the login page, the primary load managementsystem may detect that the user device has logged in to the login pageassociated with the resource, and in response, may append a resourceidentifier to a session identifier, user identifier, or token identifierthat uniquely identifies the user's session. The normalization system,at block 1230, may detect the appended resource identifier.

At block 1235, the normalization system may access or otherwise identifyor determine one or more protocols of a protocol set using the resourceidentifier. The one or more protocols of the protocol set may be storedin a database accessible to the primary load management system and thenormalization system. The protocol set may be stored in association withthe corresponding resource identifier so as to be queriable by thenormalization system. In some implementations, the normalization systemis included in the primary load management system. In otherimplementations, the normalization system may be external to the primaryload management system.

At block 1240, the normalization system may execute the one or moreprotocols of the protocol set that corresponds to the resourceidentifier. Executing the one or more protocols of the protocol set(which is defined by or for the specific client associated with theresource) may cause the user parameter associated with the user to benormalized (e.g., modified in a manner that is specific to an objectiveof the client). Further, the one or more protocols may be executed inassociation with each queue position of the digital queue. Some or allof the user parameters associated with the queue positions of thedigital queue may be modified according to the protocol set. As anon-limiting example, a protocol may indicate that of a set of users whorequested access to a resource, the subset of users who are included ina predetermined group, may be prioritized in the digital queue.Prioritizing the subset of users may include modifying the userparameters of each user of the subset of users to improve the likelihoodof the user being granted access to the interface before other users(e.g., users not included in the subset). In this case, the protocol isassociated with an objective of the client, such as to provide earlieraccess to the interface to the users who are members of thepredetermined group.

At block 1245, the user requests (e.g., the requests by the user toaccess the interface that enables the user to request assignment ofaccess rights to the resource) may be positioned in a digital queueaccording to the normalized user parameter of each user. At block 1250,at a regular or irregular time interval, a group of queue positions ofthe digital queue may be granted access to the interface. For example,at block 1250, the user device is granted access to the interface and isthen enabled to create and transmit requests for one or more accessrights to the resource to be assigned to the user.

FIG. 13 is a block diagram illustrating an example of a networkenvironment 1300 for generating user parameters for users. Networkenvironment 1300 can include global user parameter data store 1305 andlocal user parameter data store 1315. Global user parameter data store1305 can store data structure 1310, which includes the global userparameters for one or more users (e.g., User A, User B, User C, and soon). Local user parameter data store 1315 can store data structure 1320,which includes the local user parameters for one or more users (e.g.,User A, User B, User C, and so on). Each of the global user parameterand local user parameter of a user can be generated by accessing andprocessing a plurality of data points associated with the user. Further,in some examples, each of a global user parameter and a local userparameter may be generated for a particular user. In some examples,either a global or local user parameter can be generated for aparticular user.

Further, the global user parameter data points and the local userparameter data points can each be fed into a machine-learning model togenerate a result that indicates a likelihood that the user will accessa resource (e.g., the likelihood being represented by the normalizeduser parameter). The parameter generator 1325 can implement themachine-learning techniques to compute the global and/or localparameters for a user. For example, the combination of the global userparameter and the local user parameter may be implemented using one ormore ensemble method learning algorithms. In some implementations, thealgorithm used to calculate global user parameters may be a classifiermodel (e.g., a support vector machine (SVM) model, kernel methods,etc.), however, the present disclosure is not limited thereto. In someimplementations, the algorithm used to calculate local user parametersmay be a random forest model, however, the present disclosure is notlimited thereto. The algorithms executed to calculate the global andlocal user parameters may be the same or may be different from eachother. In some implementations, a final user parameter may be acombination of the calculated global user parameter and the calculatedlocal user parameter. Combining the global user parameter and thecalculated local user parameter may include any combination technique,including averaging, summing, subtracting, multiplying, dividing, aweighted combination, or any complex combination technique.

While FIG. 13 illustrates that user parameters for User A, User B, andUser C are stored in each of data structures 1310 and 1320, it will beappreciated that any number of users can be represented in each of thedata structures. For the purpose of illustration, User C is used todescribe the global and local user parameters.

As a non-limiting example, the global user parameter can represent thelikelihood that a user will ultimately access any resource generally.The global user parameter is not specific to a particular resource, butrather the global user parameter represents the general likelihood theuser will access any resource. In some cases, the global user parametercan represent the degree to which the user is predicted to be a bot. Insome cases, the global user parameter can represent the likelihood thata user will transfer an access right to another user. The global userparameter data may include previous access rights access by the user andother metadata associated with each instance of accessing a resource,such as date, time, location, whether or not the user actually accessedthe resource after being assigned an access right to the resource, andso on.

Non-limiting examples of data points that are used to calculate theglobal user parameter can include a distance between a detected userlocation and any resource-associated locations (e.g., spatial regions ofa resource), previous access right assignment data (e.g., has the usertransferred other access rights previously?), the number of accessrights that were assigned to the user within a specified time period,frequency of being assigned to access rights that enable access to aresource during a time period, and being assigned to access rights thatenable access to another resource during that same time period, has theuser requested assignment of multiple sets of access rights in differenttransactions, third-party data sets, the local user parameter of theuser (e.g., the local user parameter can be used as a data point for theglobal user parameter, and vice versa), whether or not the user hasrequested assignment of an access right to a resource associated with alocation that is different from the detected location of the user device(e.g., the location associated with the detected IP address), whether ornot (and how many times) an access right requested by the user has beendetected on a secondary load management system, how many times the userhas ultimately accessed any resources using valid access rights, andother suitable data points. As described above, the global userparameter indicates a likelihood of meeting an objective, however, theobjective is not specific to a particular resource, but rather,indicates the likelihood of meeting an objective associated withresources generally.

Continuing with the non-limiting example above, the local user parametermay be specific to an access right to a resource. For example, the localuser parameter can represent a likelihood that a user will ultimatelyaccess a particular resource during a time period when the resource isenabled to be accessible.

Non-limiting examples of data points that are used to calculate thelocal user parameter can include any one or more of the data points usedfor the global user parameter, and additionally or alternatively,affinity data from social media networks, historical data representingwhich web servers were previously accessed, the data provided by theuser during an initialization process, device type used during theinitialization process (e.g. to register the user), whether or not theuser has previously accessed resources associated with a particularentity, whether or not the user has accessed the specific resourcebefore, whether or not the user has previously transferred an accessright to the particular resource to another user device, whether or notthe user requested assignment of an access right to a resourceassociated with a location that is different from the detected userlocation (e.g., the location associated with the detected IP address),and other suitable data points. It will be appreciated that there may beoverlap between the global user parameter data points and the local userparameter data points. As described above, the difference between theglobal user parameter and the local user parameter is that the globaluser parameter represents a likelihood of the user meeting an objectiveassociated with resources generally, whereas, the local user parameterrepresents a likelihood of the user meeting an objective associated witha particular resource. It will be appreciated that the data pointsassociated with global user parameter may be inputted into the samemachine-learning model or a different machine-learning model as the datapoints associated with the global user parameter.

It will be appreciated that the global user parameter and the local userparameter can be any integer or non-integer between any range of values.Further, the range of values the global user parameter may or may not bethe same as the range of values for the local user parameter. In someimplementations, the range of values for each of the global userparameter and the local user parameter may any value between zero andone. In some implementations, the global and local user parameters canbe used to label users either positively or negatively. As anon-limiting example, when a user device completes the assignmentprocess for an access right (e.g., the user requests that the accessright be assigned to the user, and the access right is ultimatelyassigned to the user), and that user ultimately accesses the resourceduring the time period when the resource is accessible, the user can belabeled positively. In this example, a global user parameter of 0.9 maybe calculated for the user, which indicates a high likelihood of meetingan objective associated with resources generally. As another example, ifthe user device completed the assignment process, and the access rightwas detected at a secondary load management system, the user may belabeled negatively. In this example, a global user parameter of 0.3 maybe calculated for the user, which indicates a low likelihood of meetingan objective associated with resources generally.

Advantageously, if User C is requesting assignment for Resource A, butUser C commonly transfers access rights to other user devices, the userparameter for User C in the context of Resource A may indicate that UserC is likely to access Resource A during the time period when Resource Ais accessible, whereas, the user parameter for User C in the context ofResource B may indicate that User C is not likely to access Resource Bduring the time period when Resource B is accessible.

Additionally, according to certain aspects and features describedherein, when a user logs in to the online platform seeking to requestaccess right(s) to a resource, the normalization system 1330 mayretrieve the user parameter generated for that user. If the user is anew user, then a new user parameter may be generated for the useraccording to FIG. 13, or any other technique for generating a userparameter (e.g., a user score). Normalization system 1330 may access aprotocol database 1335 to determine which protocols are to be executedfor the resource to which the user is requesting access. Thenormalization system 1330 may execute the one or more protocols of theprotocol set, which may cause some or all of the user parameter of theusers requesting access to the resource to be normalized (e.g.,modified). That is, a normalized user parameter specific to the resourcemay be generated for the purpose of assigning queue positions of adigital queue to the users.

FIG. 14 is a block diagram illustrating network environment 1400 forassigning queue positions of a digital queue to user devices based on aclient-specific protocol set, according to some aspects of the presentdisclosure. In some implementations, network environment 1400 mayinclude bot 1405, server 1410, computer 1415, and mobile device 1420.Network environment 1400 may also include primary load management system1465, which may be a system that manages the assignment of access rightsto various users. For example, primary load management system 1465 canstore unique identifiers that uniquely identify access rights (notshown). Primary load management system 1465 may also store (inassociation with each unique identifier) a user identifier associatedwith a user to which the access right(s) is assigned in access rightassignments database 1460. Bot 1405 may include scripts that can beexecuted to autonomously perform one or more functions. Bot 1405 can useApplication Programming Interfaces (APIs) to interact with systems.Server 1410 may include one or more servers configured to directlyinteract with primary load management system 1465 (e.g., using scripts).For example, server 1410 may automatically transmit a communication toprimary load management system 1465 to query for access rights to aresource without a human user initiating the interaction. In some cases,server 1410 can execute bot 1405. Computer 1415 can be operated by auser to interact with primary load management system 1465 to requestassignment to access rights to resources. Mobile device 1420 can also beoperated by a user to interact with primary load management system 1465to request assignment of access rights to resources.

Each of bot 1405, server 1410, computer 1415, and mobile device 1420 mayindividually transmit a communication (each at any time) to primary loadmanagement system 1465. For example, each communication received maycorrespond to a request to access an interface that enables users torequest assignment of access rights to a particular resource. That is,each of bot 1405, server 1410, computer 1415, and mobile device 1420 maybe requesting access to the same resource. Detection layers 1425, 1430,and 1435 can detect and/or control unauthorized access to databasesassociated with primary load management system 1465. It will beappreciated that any number of detection layers may be implemented, andthe various detection layers may be the same or different from eachother. For example, detection layers 1425, 1430, and 1435 may eachinclude a detection system or service that detects the presence of bots,hackers, specific systems (e.g., secondary management systems), orunauthorized user access using any number of detection techniques (e.g.,IP blocking, client time limits, client request frequency limits, clientrequest limits on access inventory, reverse TURING tests, speed orfrequency of queries during a time period, API access behavior patternevaluation, bot pattern evaluation of sensor data associated with thedevice transmitting the communication, and other suitable techniques),and then blocks the detected communications, systems, or users. Bots andother devices, however, may sometimes pass through the detection layersundetected. As illustrated in FIG. 14, communications from bot 1405,server 1410, computer 1415, and mobile device 1420 pass throughdetection layers 1425, 1430, and 1435 undetected. In this situation,primary load management system 1465 may still prevent bots and other badactors from requesting access rights to a resource by prioritizingcertain requests, such as the communication from mobile device 1420,over other requests, such as the communication from bot 1405 using thenormalization system 1450.

The communication from each of bot 1405, server 1410, computer 1415, andmobile device 1420 may be received at user parameter generator 1445. Auser parameter may already have been generated for bot 1405, server1410, computer 1415, and/or mobile device 1420. In that case, thecorresponding user parameter may be queried from a database that storesuser parameters. User parameter generator 1445 may extract a unique useridentifier from the communications received, and use that unique useridentifier to retrieve the corresponding user parameter. If any of bot1405, server 1410, computer 1415, or mobile device 1420 does not have auser parameter (e.g., if any of these users are new to the onlineplatform), then user parameter generator 1445 may generate a userparameter using any user scoring technique. For example, the techniquesdescribed in FIG. 13 may be executed to generate a new user parameterfor a new user.

Normalization system 1450 may retrieve the user parameters for each ofbot 1405, server 1410, computer 1415, and mobile device 1420. Further,normalization system 1450 may detect a resource identifier included inthe communication received from each of bot 1405, server 1410, computer1415, and mobile device 1420. Normalization system 1450 may thenretrieve one or more protocols from protocol database 1440.Normalization system 1450 may then execute the retrieved protocols.Executing the protocol may cause the normalization system 1450 to modifyone or more of the retrieved user parameters. To illustrate and as anon-limiting example, the protocol may include executable code that,when executed, transmits a list of user identifiers to the normalizationsystem 1450. The list may include user identifiers for users that areincluded in a predetermined group (e.g., a club targeted by the client).The list may be defined by a client associated with the resource.Normalization system 1450 can then match the user identifiers in thelist against the user identifiers of bot 1405, server 1410, computer1415, and mobile device 1420. For example, the user identifier formobile device 1420 may be included in the list of user identifiers. Inthis non-limiting example, normalization system 1450 may then normalizethe user parameters associated with bot 1405, server 1410, computer1415, and mobile device 1420 by subtracting a value (e.g., 0.3) fromeach of the user parameters for bot 1405, server 1410, and computer 1415and adding a value (0.8) to the user parameter for mobile device 1420.Normalization system 1450 may then transmit the normalized userparameters to queueing system 1455, which may be configured to assign aqueue position to each of bot 1405, server 1410, computer 1415, andmobile device 1420. Continuing with the non-limiting example above,queuing system 1455 may assign the first queue position in a digitalqueue associated with the resource to mobile device 1420; the secondthrough fourth queue positions to bot 1405, server 1410, and computer1415 according to the corresponding normalized user parameters. Becausethe mobile device 1420 is assigned the first queue position in thedigital queue, the mobile device may be granted access to the interfaceto request assignment of access rights to the resource before the bot1405, server 1410, and computer 1415. Bot 1405, server 1410, andcomputer 1415 may be granted access to the interface in accordance withthe corresponding queue positions in the digital queue. Advantageously,each client can define which attributes of users are to be prioritizedfor the corresponding resource, and thus, automated scripts may beprevented from accessing resources in a dynamic and client-specificmanner.

Specific details are given in the above description to provide athorough understanding of the embodiments. However, it is understoodthat the embodiments can be practiced without these specific details.For example, circuits can be shown in block diagrams in order not toobscure the embodiments in unnecessary detail. In other instances,well-known circuits, processes, algorithms, structures, and techniquescan be shown without unnecessary detail in order to avoid obscuring theembodiments.

Implementation of the techniques, blocks, steps and means describedabove can be done in various ways. For example, these techniques,blocks, processes, steps and means can be implemented in hardware,software, or a combination thereof. For a hardware implementation, theprocessing units can be implemented within one or more applicationspecific integrated circuits (ASICs), digital signal processors (DSPs),digital signal processing devices (DSPDs), programmable logic devices(PLDs), field programmable gate arrays (FPGAs), processors, controllers,micro-controllers, microprocessors, other electronic units designed toperform the functions described above, and/or a combination thereof.

Also, it is noted that the embodiments can be described as a processwhich is depicted as a flowchart, a flow diagram, a data flow diagram, astructure diagram, or a block diagram. Although a flowchart can describethe operations as a sequential process, many of the operations can beperformed in parallel or concurrently, or in any combination. Inaddition, the order of the operations can be re-arranged. A process isterminated when its operations are completed, but could have additionalsteps not included in the figure. A process can correspond to a method,a function, a procedure, a subroutine, a subprogram, etc. When a processcorresponds to a function, its termination corresponds to a return ofthe function to the calling function or the main function.

Furthermore, embodiments can be implemented by hardware, software,scripting languages, firmware, middleware, microcode, hardwaredescription languages, and/or any combination thereof. When implementedin software, firmware, middleware, scripting language, and/or microcode,the program code or code segments to perform the necessary tasks can bestored in a machine readable medium such as a storage medium. A codesegment or machine-executable instruction can represent a procedure, afunction, a subprogram, a program, a routine, a subroutine, a module, asoftware package, a script, a class, or any combination of instructions,data structures, and/or program statements. A code segment can becoupled to another code segment or a hardware circuit by passing and/orreceiving information, data, arguments, parameters, and/or memorycontents. Information, arguments, parameters, data, etc. can be passed,forwarded, or transmitted via any suitable means including memorysharing, message passing, network transmission, etc.

For a firmware and/or software implementation, the methodologies can beimplemented with modules (e.g., procedures, functions, and so on) thatperform the functions described herein. Any machine-readable mediumtangibly embodying instructions can be used in implementing themethodologies described herein. For example, software codes can bestored in a memory. Memory can be implemented within the processor orexternal to the processor. As used herein the term “memory” refers toany type of long term, short term, volatile, nonvolatile, or otherstorage medium and is not to be limited to any particular type of memoryor number of memories, or type of media upon which memory is stored.

Moreover, as disclosed herein, the term “storage medium”, “storage” or“memory” can represent one or more memories for storing data, includingread only memory (ROM), random access memory (RAM), magnetic RAM, corememory, magnetic disk storage mediums, optical storage mediums, flashmemory devices and/or other machine readable mediums for storinginformation. The term “machine-readable medium” includes, but is notlimited to portable or fixed storage devices, optical storage devices,wireless channels, and/or various other storage mediums capable ofstoring that contain or carry instruction(s) and/or data.

While the principles of the disclosure have been described above inconnection with specific apparatuses and methods, it is to be clearlyunderstood that this description is made only by way of example and notas limitation on the scope of the disclosure.

1. (canceled)
 2. A computer-implemented method, comprising: generatingan interface configured to enable a user device to transmit a requestfor assignment of one or more access rights to a resource; receiving acommunication from each user device of a plurality of user devices, andthe communication from each user device including a request to accessthe interface; retrieving a plurality of user parameters, each userparameter of the plurality of user parameters being associated with auser device from which a communication was received; executing aprotocol corresponding to the resource, the protocol being configured todetermine an ordinal arrangement of the plurality of user devicesawaiting access to the interface; assigning a queue position of adigital queue to each of the plurality of user devices, the assignmentof the queue positions being performed as part of executing theprotocol; and selecting, at a regular or irregular interval, one or moreuser devices of the plurality of user devices, the selection being basedon the ordinal arrangement of the plurality of user devices, and eachuser device of the one or more selected user devices being grantedaccess to the interface.
 3. The computer-implemented method of claim 2,wherein executing the protocol further comprises: retrieving a pluralityof user parameters, each user parameter of the plurality of userparameters being associated with a user device from which acommunication was received; and normalizing the plurality of userparameters, wherein normalizing the plurality of user parametersincludes modifying at least one user parameter of the plurality of userparameters to bias access to the interface towards a target group ofuser devices from amongst the plurality of user devices.
 4. Thecomputer-implemented method of claim 3, further comprising: biasingaccess to the interface towards the target group of user devices by:identifying which user devices of the plurality of user devices are alsoincluded in a target group of user devices; and for each user deviceincluded in both the plurality of user devices and the target group ofuser devices, modifying a user parameter corresponding to the userdevice so as to change a queue position associated with the user device,so that the user device is selected to access to the interface before auser device that is not included in the target group.
 5. Thecomputer-implemented method of claim 2, further comprising: grantingaccess to the interface for each user device included in the selectedone or more user devices; receiving, at the interface, a request forassignment of an access right to the resource, the request forassignment of the access right being received from a user deviceincluded in the selected one or more user devices; and in response toreceiving the request for assignment, assigning the access right to theresource to the user device.
 6. The computer-implemented method of claim2, wherein a user device of the plurality of user devices is not grantedaccess to the interface until the user device is included in theselected one or more user devices.
 7. The computer-implemented method ofclaim 2, wherein each user parameter includes a value that represents acharacteristic of the corresponding user device or a user associatedwith the corresponding user device.
 8. The computer-implemented methodof claim 2, further comprising: generating a token for each user deviceof the plurality of user devices awaiting access to the interface,wherein the token is a unique value that validates a duration of timethe user device awaited access to the interface in the digital queue. 9.A system, comprising: one or more processors; and a non-transitorycomputer-readable storage medium containing instructions which, whenexecuted on the one or more processors, cause the one or more processorsto perform operations including: generating an interface configured toenable a user device to transmit a request for assignment of one or moreaccess rights to a resource; receiving a communication from each userdevice of a plurality of user devices, and the communication from eachuser device including a request to access the interface; retrieving aplurality of user parameters, each user parameter of the plurality ofuser parameters being associated with a user device from which acommunication was received; executing a protocol corresponding to theresource, the protocol being configured to determine an ordinalarrangement of the plurality of user devices awaiting access to theinterface; assigning a queue position of a digital queue to each of theplurality of user devices, the assignment of the queue positions beingperformed as part of executing the protocol; and selecting, at a regularor irregular interval, one or more user devices of the plurality of userdevices, the selection being based on the ordinal arrangement of theplurality of user devices, and each user device of the one or moreselected user devices being granted access to the interface.
 10. Thesystem of claim 9, wherein executing the protocol further comprises:retrieving a plurality of user parameters, each user parameter of theplurality of user parameters being associated with a user device fromwhich a communication was received; and normalizing the plurality ofuser parameters, wherein normalizing the plurality of user parametersincludes modifying at least one user parameter of the plurality of userparameters to bias access to the interface towards a target group ofuser devices from amongst the plurality of user devices.
 11. The systemof claim 10, wherein the operations further comprise: biasing access tothe interface towards the target group of user devices by: identifyingwhich user devices of the plurality of user devices are also included ina target group of user devices; and for each user device included inboth the plurality of user devices and the target group of user devices,modifying a user parameter corresponding to the user device so as tochange a queue position associated with the user device, so that theuser device is selected to access to the interface before a user devicethat is not included in the target group.
 12. The system of claim 9,wherein the operations further comprise: granting access to theinterface for each user device included in the selected one or more userdevices; receiving, at the interface, a request for assignment of anaccess right to the resource, the request for assignment of the accessright being received from a user device included in the selected one ormore user devices; and in response to receiving the request forassignment, assigning the access right to the resource to the userdevice.
 13. The system of claim 9, wherein a user device of theplurality of user devices is not granted access to the interface untilthe user device is included in the selected one or more user devices.14. The system of claim 9, wherein each user parameter includes a valuethat represents a characteristic of the corresponding user device or auser associated with the corresponding user device.
 15. The system ofclaim 9, wherein the operations further comprise: generating a token foreach user device of the plurality of user devices awaiting access to theinterface, wherein the token is a unique value that validates a durationof time the user device awaited access to the interface in the digitalqueue.
 16. A computer-program product tangibly embodied in anon-transitory machine-readable storage medium, including instructionsconfigured to cause a processing apparatus to perform operationsincluding: generating an interface configured to enable a user device totransmit a request for assignment of one or more access rights to aresource; receiving a communication from each user device of a pluralityof user devices, and the communication from each user device including arequest to access the interface; retrieving a plurality of userparameters, each user parameter of the plurality of user parametersbeing associated with a user device from which a communication wasreceived; executing a protocol corresponding to the resource, theprotocol being configured to determine an ordinal arrangement of theplurality of user devices awaiting access to the interface; assigning aqueue position of a digital queue to each of the plurality of userdevices, the assignment of the queue positions being performed as partof executing the protocol; and selecting, at a regular or irregularinterval, one or more user devices of the plurality of user devices, theselection being based on the ordinal arrangement of the plurality ofuser devices, and each user device of the one or more selected userdevices being granted access to the interface.
 17. The computer-programproduct of claim 16, wherein executing the protocol further comprises:retrieving a plurality of user parameters, each user parameter of theplurality of user parameters being associated with a user device fromwhich a communication was received; and normalizing the plurality ofuser parameters, wherein normalizing the plurality of user parametersincludes modifying at least one user parameter of the plurality of userparameters to bias access to the interface towards a target group ofuser devices from amongst the plurality of user devices.
 18. Thecomputer-program product of claim 17, wherein the operations furthercomprise: biasing access to the interface towards the target group ofuser devices by: identifying which user devices of the plurality of userdevices are also included in a target group of user devices; and foreach user device included in both the plurality of user devices and thetarget group of user devices, modifying a user parameter correspondingto the user device so as to change a queue position associated with theuser device, so that the user device is selected to access to theinterface before a user device that is not included in the target group.19. The computer-program product of claim 16, wherein the operationsfurther comprise: granting access to the interface for each user deviceincluded in the selected one or more user devices; receiving, at theinterface, a request for assignment of an access right to the resource,the request for assignment of the access right being received from auser device included in the selected one or more user devices; and inresponse to receiving the request for assignment, assigning the accessright to the resource to the user device.
 20. The computer-programproduct of claim 16, wherein a user device of the plurality of userdevices is not granted access to the interface until the user device isincluded in the selected one or more user devices.
 21. Thecomputer-program product of claim 16, wherein each user parameterincludes a value that represents a characteristic of the correspondinguser device or a user associated with the corresponding user device.